Shorewall users - Jul 2004 - Insmod

Hi,

 

I have installed shorewall 2.0.6 on a Cobalt RaQ550 using RPM file and
also the tried the tgz file.

 

The below are the versions of iptables and iproute that is installed:

iptables 1.2.8-8

iproute 2.4.7

 

Kernel version is 2.4.19

 

I have the policy, rules, DNAT, SNAT, and ProxyArp are being applied
properly.

 

I get insmod errors when running a script called log_traffic.  Below is
a link that describes it in the cobalt forum with no resolution that I
could find so far.  This script is in a cron.hourly folder and I just
removed it from that folder because the errors were just annoying.  I am
just curious if there is a way for me to load the modules that the
server is complaining about.  I have not played around with loading
modules into kernel so I just wanted to post here first.  If I remove
Shorewall, the errors will go away.

 

http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html

 

 

Thanks in advance...

 

Elmer

Tolentino, Elmer wrote:
> Hi,
> 
>  
> 
> I have installed shorewall 2.0.6 on a Cobalt RaQ550 using RPM file and
> also the tried the tgz file.
> 
>  
> 
> The below are the versions of iptables and iproute that is installed:
> 
> iptables 1.2.8-8
> 
> iproute 2.4.7
> 
>  
> 
> Kernel version is 2.4.19
> 
>  
> 
> I have the policy, rules, DNAT, SNAT, and ProxyArp are being applied
> properly.
> 
>  
> 
> I get insmod errors when running a script called log_traffic.
And what does that script do? It''s not included as a part of Shorewall.
What messages are you seeing?
> Below is
> a link that describes it in the cobalt forum with no resolution that I
> could find so far.
 >

That thread has to do with Gshield, not Shorewall.
> 
> http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> 
> And what does that script do? It''s not included as a part of
Shorewall.
> What messages are you seeing?
> 
>> Below is
>> a link that describes it in the cobalt forum with no resolution that I
>> could find so far.
> 
>  >
> 
> That thread has to do with Gshield, not Shorewall.
> 
>>
>> http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
> 
I read the above article again and it looks to me like the log_traffic 
script is designed to work with some specific set of firewall rules and 
if you install any other iptables configuration tool such as Shorewall 
or Gshield then log_traffic doesn''t work very well.

My solution would be to remove log_traffic and install a log analysis 
tool that *does* work with Shorewall. I personally use LogWatch but 
there are a number of other good tools that are suitable -- see the 
Shorewall FAQ.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> And what does that script do? It''s not included as a part of
Shorewall.
> What messages are you seeing?
> 
Right.  Here are the contents of the file.  I am not quite sure the
purpose but it runs hourly and emails any errors if there are any
errors:

http://www.webmerch.com/log_traffic.txt
> > Below is
> > a link that describes it in the cobalt forum with no resolution that
I
> > could find so far.
>  >
> 
> That thread has to do with Gshield, not Shorewall.
> 
But it gets the same errors once installed and I was hoping that you
have any insight why I might be getting these errors once I install
Shorewall.  I just have a feeling that some modules are being loaded
into kernel that the kernel is not configured for.  I am not sure if it
will affect Shorewall operation later on, if there are any
incompatibility issues.  

I am just posting the cobalt link only because searching the cobalt
archives for Shorewall does not yield any results.  I do not know IP
Tables well enough to know how to troubleshoot these types of errors.
> >
> >
http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
Thanks,
Elmer

> > And what does that script do? It''s not included as a part of
Shorewall.
> > What messages are you seeing?
> >
> >> Below is
> >> a link that describes it in the cobalt forum with no resolution
that I
> >> could find so far.
> >
> >  >
> >
> > That thread has to do with Gshield, not Shorewall.
> >
> >>
> >>
http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
> >
> 
> I read the above article again and it looks to me like the log_traffic
> script is designed to work with some specific set of firewall rules
and
> if you install any other iptables configuration tool such as Shorewall
> or Gshield then log_traffic doesn''t work very well.
> 
> My solution would be to remove log_traffic and install a log analysis
> tool that *does* work with Shorewall. I personally use LogWatch but
> there are a number of other good tools that are suitable -- see the
> Shorewall FAQ.
Thanks...

I just sent an email with the link for the full Script to see all of the
contents.  I will look at LogWatch... :-)
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Tolentino, Elmer wrote:
>>>And what does that script do? It''s not included as a part
of
> 
> Shorewall.
> 
>>>What messages are you seeing?
>>>
>>>
>>>>Below is
>>>>a link that describes it in the cobalt forum with no resolution
> 
> that I
> 
>>>>could find so far.
>>>
>>> >
>>>
>>>That thread has to do with Gshield, not Shorewall.
>>>
>>>
>>>>
> http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
> 
>>I read the above article again and it looks to me like the log_traffic
>>script is designed to work with some specific set of firewall rules
> 
> and
> 
>>if you install any other iptables configuration tool such as Shorewall
>>or Gshield then log_traffic doesn''t work very well.
>>
>>My solution would be to remove log_traffic and install a log analysis
>>tool that *does* work with Shorewall. I personally use LogWatch but
>>there are a number of other good tools that are suitable -- see the
>>Shorewall FAQ.
log_traffic seems to be a standalone traffic accounting app that
doesn''t
play well with other iptables frontends. The reason that you are getting 
the error messages is because ''shorewall [re]start'' is
removing the
accounting chains that log_traffic has set up. You can set up accounting 
rules with Shorewall (see http://shorewall.net/accounting.html) but you 
will need to find another way to periodically report on the traffic.

You might search the list archives for ''mrtg'' -- there was a
lot of
activity surrounding Shorewall/mrtg integration around the time that I 
implemented traffic accounting in Shorewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> log_traffic seems to be a standalone traffic accounting app that
doesn''t
> play well with other iptables frontends. The reason that you are
getting
> the error messages is because ''shorewall [re]start'' is
removing the
> accounting chains that log_traffic has set up. You can set up
accounting
> rules with Shorewall (see http://shorewall.net/accounting.html) but
you
> will need to find another way to periodically report on the traffic.
> 
> You might search the list archives for ''mrtg'' -- there
was a lot of
> activity surrounding Shorewall/mrtg integration around the time that I
> implemented traffic accounting in Shorewall.
Thank you for the clarification.  Will do.  BTW, I appreciate what you
have done with Shorewall.  This was the easiest solution to get working
on a tweaked Cobalt that has 3 NICs now converted to a firewall solution
with Shorewall.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Tolentino, Elmer wrote:

> 
>>rules with Shorewall (see http://shorewall.net/accounting.html) but
> 
Correct URL is http://shorewall.net/Accounting.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Since I am on the email list, is it possible to get the
"+scott=jaxon.net"
removed from "From:
shorewall-users-bounces+scott=jaxon.net@lists.shorewall.net"? I find I get
duplicate email this way. :)

-----Original Message-----
From: shorewall-users-bounces+scott=jaxon.net@lists.shorewall.net
[mailto:shorewall-users-bounces+scott=jaxon.net@lists.shorewall.net]On
Behalf Of Tom Eastep
Sent: Friday, July 30, 2004 6:59 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Insmod


Tom Eastep wrote:
>
>
> And what does that script do? It''s not included as a part of
Shorewall.
> What messages are you seeing?
>
>> Below is
>> a link that describes it in the cobalt forum with no resolution that I
>> could find so far.
>
>  >
>
> That thread has to do with Gshield, not Shorewall.
>
>>
>> http://lists.qbalt.com/pipermail/cobalt-users/2002-August/033318.html
>
I read the above article again and it looks to me like the log_traffic
script is designed to work with some specific set of firewall rules and
if you install any other iptables configuration tool such as Shorewall
or Gshield then log_traffic doesn''t work very well.

My solution would be to remove log_traffic and install a log analysis
tool that *does* work with Shorewall. I personally use LogWatch but
there are a number of other good tools that are suitable -- see the
Shorewall FAQ.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Scott Jackson wrote:
> Since I am on the email list, is it possible to get the
"+scott=jaxon.net"
> removed from "From:
> shorewall-users-bounces+scott=jaxon.net@lists.shorewall.net"? I find I
get
> duplicate email this way. :)
Mailman periodically uses that format for each subscriber to better be 
able to analyze bounces. It helps prune the dead wood from the lists and 
I''m reluctant to disable that feature.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net