Hello, I run Shorewall 2.0.3a backport on a debian woody box (with 2.4.18 homemade kernel). When I start shorewall I got the following errors. Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can''t locate module ipt_pkttype Oct 30 11:13:57 fwr last message repeated 2 times Oct 30 11:14:06 fwr root: Shorewall Restarted The "shorewall status" output seems complying with my rules set. Should I worry ? and is there any way to get rid of these errors ? here''s the lsmod output: Module Size Used by Not tainted ipt_ULOG 3424 25 3c509 7648 2 (autoclean) isa-pnp 28136 0 (autoclean) [3c509] iptable_mangle 2144 1 ipt_ttl 640 0 (unused) ipt_tos 480 0 (unused) ipt_tcpmss 928 0 (unused) ipt_multiport 640 0 ipt_mark 480 0 (unused) ipt_mac 672 0 (unused) ipt_state 608 30 ipt_limit 960 0 (unused) ipt_unclean 6784 0 (unused) iptable_filter 1728 1 ipt_length 512 0 (unused) ipt_TOS 1024 12 ipt_TCPMSS 2368 0 (unused) ipt_REJECT 2784 4 ipt_REDIRECT 736 0 (unused) ipt_MASQUERADE 1216 0 (unused) ipt_LOG 3168 0 (unused) ip_nat_irc 2336 0 (unused) ip_nat_ftp 2944 0 (unused) iptable_nat 12980 3 [ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp] ip_tables 10528 22 [ipt_ULOG iptable_mangle ipt_ttl ipt_tos ipt_tcpmss ipt_multiport ipt_mark ipt_mac ipt_state ipt_limit ipt_unclean iptable_filter ipt_length ipt_TOS ipt_TCPMSS ipt_REJECT ipt_REDIRECT ipt_MASQUERADE ipt_LOG iptable_nat] ip_conntrack_irc 2464 0 (unused) ip_conntrack_ftp 3232 0 (unused) ip_conntrack 12820 4 [ipt_state ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] rtc 5528 0 (autoclean) Thanks -- guy
On Saturday 30 October 2004 12:41, Guy Marcenac wrote:> Hello, > > I run Shorewall 2.0.3a backport on a debian woody box (with 2.4.18 > homemade kernel). > > When I start shorewall I got the following errors. > > Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module > ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate > module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can''t > locate module ipt_pkttype Oct 30 11:13:57 fwr last message repeated 2[...] I think you missed a module in your kernel config, you need at least IP_NF_CONNTRACK, but I don''t know where ipt_pkttype came from, this is the content of my /etc/shorewall/modules, where I commented kernel option names activated for shorewall # IP_NF_IPTABLES loadmodule iptable_filter # IP_NF_FILTER loadmodule ip_conntrack # IP_NF_CONNTRACK loadmodule ip_conntrack_ftp # IP_NF_FTP loadmodule ip_conntrack_tftp # IP_NF_TFTP loadmodule ip_conntrack_irc # IP_NF_IRC loadmodule iptable_nat # IP_NF_NAT loadmodule ip_nat_ftp # IP_NF_NAT_FTP loadmodule ip_nat_tftp # IP_NF_NAT_TFTP loadmodule ip_nat_irc # IP_NF_NAT_IRC # and IP_NF_MATCH_STATE HTH Ciao Francesco -- Linux Version 2.6.9, Compiled #2 Mon Oct 25 23:35:40 CEST 2004 One 1.53GHz AMD Athlon XP Processor, 1.5GB RAM, 3022.84 Bogomips Total macula
On Sat, 2004-10-30 at 03:41, Guy Marcenac wrote:> Hello, > > I run Shorewall 2.0.3a backport on a debian woody box (with 2.4.18 > homemade kernel). > > When I start shorewall I got the following errors. > > Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module ipt_conntrack > Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate module ipt_pkttype > Oct 30 11:13:18 fwr modprobe: modprobe: Can''t locate module ipt_pkttype > Oct 30 11:13:57 fwr last message repeated 2 times > Oct 30 11:14:06 fwr root: Shorewall Restarted > > The "shorewall status" output seems complying with my rules set. > Should I worry ? and is there any way to get rid of these errors ? >I guess that I should add a FAQ about this one. You are seeing two different things: a) The normal checking that Shorewall does when it starts. Shorewall tries to determine the the capabilities of your ''iptables'' and kernel and then taylors the ruleset accordingly. b) A problem in Shorewall 2.0.3a whereby Shorewall tried to use the ''pkttype match'' feature each time that it wanted to generate a rule involving broadcast or multicast packets. There is nothing you can do about the first; the second is solved by upgrading to Shorewall 2.0.6 or later and then set PKTTYPE=No in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>When I start shorewall I got the following errors. >> >>Oct 30 11:13:12 fwr modprobe: modprobe: Can''t locate module ipt_conntrack >>Oct 30 11:13:17 fwr modprobe: modprobe: Can''t locate module ipt_pkttype >>Oct 30 11:13:18 fwr modprobe: modprobe: Can''t locate module ipt_pkttype >>Oct 30 11:13:57 fwr last message repeated 2 times >>Oct 30 11:14:06 fwr root: Shorewall Restarted >> >> > > >There is nothing you can do about the first; the second is solved by >upgrading to Shorewall 2.0.6 or later and then set PKTTYPE=No in >shorewall.conf. > > >Hello Tom, I''ll wait for the sarge upgrade (shorewall 2.0.9). In the meantime, I aliased both modules to off in my modules.conf in order to get rid of the error messages. Thank you -- guy
On Sat, 2004-10-30 at 08:13, Guy Marcenac wrote:> > I''ll wait for the sarge upgrade (shorewall 2.0.9). > In the meantime, I aliased both modules to off in my modules.conf in > order to get rid of the error messages. >I''ve added FAQ 41 (http://shorewall.net/FAQ.htm#faq41) which includes your tip about modules.conf. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key