I am a new user of shorewall, and am having some difficulty getting it set up on
a
new Fedora Core 3 system. When I run the shorewall script in the /etc/init.d
the
following errror message is received.
tarting shorewall: ./shorewall: line 26: 10555 Terminated $exec
start
>/dev/null 2>&1
[FAILED]
------------------------
The stopping point of the shorewall starting script in /etc/init.d is:
-------------------------
start() {
echo -n $"Starting $prog: "
# start it up here, usually something like "daemon $exec"
$exec start >/dev/null 2>&1 && success $"$exec
startup" || failure $"$exec startup"
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
----------------------------
Your help would be appreciated.
Thanks,
Greg Ennis
On Sat, 2004-11-27 at 15:26 -0600, Gregory P. Ennis wrote:> I am a new user of shorewall, and am having some difficulty getting it set up on a > new Fedora Core 3 system. When I run the shorewall script in the /etc/init.d the > following errror message is received. > > tarting shorewall: ./shorewall: line 26: 10555 Terminated $exec start > >/dev/null 2>&1 > [FAILED] > ------------------------ > The stopping point of the shorewall starting script in /etc/init.d is: > ------------------------- > start() { > echo -n $"Starting $prog: " > # start it up here, usually something like "daemon $exec" > $exec start >/dev/null 2>&1 && success $"$exec startup" || failure $"$exec startup" > retval=$? > echo > [ $retval -eq 0 ] && touch $lockfile > return $retval > } > ---------------------------- >Does "/sbin/shorewall start" work? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > > Does "/sbin/shorewall start" work? > > -TomThanks for your help. Sure does. Here is the output: [root@dev init.d]# /sbin/shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc dmz Validating interfaces file... Warning: The ''dropunclean'' and ''logunclean'' options will be removed in a future relValidating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Warning: Zone loc is empty Warning: Zone dmz is empty Processing /etc/shorewall/init ... Smile will create the Firewall now Deleting user chains... Setting up Accounting... Setting up User Sets... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Mangled/Invalid Packet filtering enabled on: iptables: No chain/target/match by that name Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... Terminated ------------------------------------------------------------- I am trying to set up a Fedora Core 3 system to use as a firewall for a network as well as a an e-mail server. The local network should be identified as 10.0.0.0/24 I have a bunch of newbie questions about things I do not understand related to the shorewall configuration. Do you mind answering them? Greg
On Sat, 2004-11-27 at 15:37 -0600, Gregory P. Ennis wrote:> > > > > > Does "/sbin/shorewall start" work? > > > > -Tom > > Thanks for your help. > > Sure does. > > Here is the output: > > [root@dev init.d]# /sbin/shorewall start > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Starting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Determining Zones... > Zones: net loc dmz > Validating interfaces file... > Warning: The ''dropunclean'' and ''logunclean'' options will be removed in a future > relValidating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Warning: Zone loc is empty > Warning: Zone dmz is emptyThe empty zone warnings indicate that you are NOT following the instructions for installing Shorewall found in any of the QuickStart Guides (http://shorewall.net/shorewall_quickstart_guide.htm)!!!> Processing /etc/shorewall/init ... > Smile will create the Firewall now > Deleting user chains... > Setting up Accounting... > Setting up User Sets... > Creating Interface Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Mangled/Invalid Packet filtering enabled on: > iptables: No chain/target/match by that name > Processing /etc/shorewall/stop ... > Processing /etc/shorewall/stopped ... > TerminatedGo to http://shorewall.net/troubleshoot.htm and follow the instructions in the section entitled "shorewall start and shorewall restart Errors". And check out the QuickStart Guides -- they will make the installation go a lot smoother. I just installed Shorewall 2.0.11 on a one-interface FC3 system in under five minutes following the Standalone quickstart guide so I know it works. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> I just installed Shorewall 2.0.11 on a one-interface FC3 system in under > five minutes following the Standalone quickstart guide so I know it > works. > > -TomThanks Tom, A one interface system is what I am starting with, I actaully did use the quickstart, but must have read things incorrectly. I''ll start over and try it again. Greg
On Sat, 2004-11-27 at 16:02 -0600, Gregory P. Ennis wrote:> Tom Eastep wrote: > > > I just installed Shorewall 2.0.11 on a one-interface FC3 system in under > > five minutes following the Standalone quickstart guide so I know it > > works. > > > > -Tom > > Thanks Tom, > > A one interface system is what I am starting with, I actaully did use the quickstart, > but must have read things incorrectly. I''ll start over and try it again.The empty zones tell me that you didnt'' move the sample ''zones'' file into /etc/shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Sat, 2004-11-27 at 16:02 -0600, Gregory P. Ennis wrote: > >>Tom Eastep wrote: >> >> >>>I just installed Shorewall 2.0.11 on a one-interface FC3 system in under >>>five minutes following the Standalone quickstart guide so I know it >>>works. >>> >>>-Tom >> >>Thanks Tom, >> >>A one interface system is what I am starting with, I actaully did use the quickstart, >>but must have read things incorrectly. I''ll start over and try it again. > > > The empty zones tell me that you didnt'' move the sample ''zones'' file > into /etc/shorewall. > > -TomTom, I had tried making the entry in the manner that I understood and received the below: [root@dev shorewall]# /sbin/shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net mail web hm1 moo me star lpt1 Validating interfaces file... Warning: The ''dropunclean'' and ''logunclean'' options will be removed in a future release Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Warning: Zone mail is empty Warning: Zone web is empty Warning: Zone hm1 is empty Warning: Zone moo is empty Warning: Zone me is empty Warning: Zone star is empty Warning: Zone lpt1 is empty Processing /etc/shorewall/init ... Smile will create the Firewall now Deleting user chains... Setting up Accounting... Setting up User Sets... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Mangled/Invalid Packet filtering enabled on: iptables: No chain/target/match by that name Processing /etc/shorewall/stop ... Processing /etc/shorewall/stop I am sure there is much I do not understand, but I must be reading the documentation poorly. When a zone is defined is a zone one of the PC''s on the network, and if so then how does shorewall identify it with an ip address. Does it look at the /etc/host file. I can not figure out how to reconcile the zone names with the IP addresses on the network. When I received the above results I looked at the default zone file that came with the installation. It was designated much differently labeling loc to mean the local network. I could not figure out how it identified the local network, and of course based on my first post it did not work either. Thanks for your help, Greg
On Sat, 2004-11-27 at 17:35 -0600, Gregory P. Ennis wrote:> Tom Eastep wrote:> Thanks for your help,You are totally lost. Please describe your network and what you are trying to accomplish with Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, I am using Shorewall 1.4.8 which is the version that came with FC3. I have checked their update list and the latest update Fedora has for shoreall is 1.4.8 Do I need to upgrade to 2.0.11? Greg
On Sat, 2004-11-27 at 17:39 -0600, Gregory P. Ennis wrote:> Tom, > > I am using Shorewall 1.4.8 which is the version that came with FC3. I have checked > their update list and the latest update Fedora has for shoreall is 1.4.8 >Where are you getting Shorewall? RedHat has never packaged Shorewall as far as I know. I would definitely start with 2.0.11 because support for 1.4 will end early next year. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Sat, 2004-11-27 at 17:39 -0600, Gregory P. Ennis wrote: > >>Tom, >> >>I am using Shorewall 1.4.8 which is the version that came with FC3. I have checked >>their update list and the latest update Fedora has for shoreall is 1.4.8 >> > > > Where are you getting Shorewall? RedHat has never packaged Shorewall as > far as I know. I would definitely start with 2.0.11 because support for > 1.4 will end early next year. > > -TomTom, You are so correct! I am totally lost. Sorry to ask such baby questions. I downloaded 2.0.11 rpm but it would not install, the FC3 unit responded telling me that the version I had was older than 2.0.11, but it is not. I downloaded the tar ball version of 2.0.11 and have installed it now. I am in the process of reviewing your documentation .... much better than 1.4.8 and when I have some intelligent questions I will send them to you. I downloaded the FC3 iso''s from one of the mirror sites, and upgraded everything with synaptic before I started. When I started looking around to see what I had, shorewall was present. I want to create a firewall with some NAT addressing for our office network so shorewall looked perfect. I had also planned on making this FC3 unit as an e-mail server for our office unless it would be better for the firewall to exist by itself. Thanks again for your work.... give me a little time and I''ll come back with better questions. Greg
On Sat, 2004-11-27 at 18:18 -0600, Gregory P. Ennis wrote:> Tom Eastep wrote: > > On Sat, 2004-11-27 at 17:39 -0600, Gregory P. Ennis wrote: > > > >>Tom, > >> > >>I am using Shorewall 1.4.8 which is the version that came with FC3. I have checked > >>their update list and the latest update Fedora has for shoreall is 1.4.8 > >> > > > > > > Where are you getting Shorewall? RedHat has never packaged Shorewall as > > far as I know. I would definitely start with 2.0.11 because support for > > 1.4 will end early next year. > > > > -Tom > > Tom, > > You are so correct! I am totally lost. Sorry to ask such baby questions. I > downloaded 2.0.11 rpm but it would not install, the FC3 unit responded telling me > that the version I had was older than 2.0.11, but it is not.You should be able to upgrade from 1.4.8 to 2.0.11 by following the instructions at http://shorewall.net/Install.htm (basically "rpm -Uvh shorewall-2.0.11-1.noarch.rpm)> I downloaded the tar > ball version of 2.0.11 and have installed it now.I hope you uninstalled the RPM first (rpm -e shorewall).> I am in the process of reviewing > your documentation .... much better than 1.4.8 and when I have some intelligent > questions I will send them to you. > > I downloaded the FC3 iso''s from one of the mirror sites, and upgraded everything with > synaptic before I started. When I started looking around to see what I had, > shorewall was present.Interesting -- it''s not on my FC3 ISOs and it is not on the Fedora download server.> I want to create a firewall with some NAT addressing for our > office network so shorewall looked perfect. I had also planned on making this FC3 > unit as an e-mail server for our office unless it would be better for the firewall to > exist by itself. > > Thanks again for your work.... give me a little time and I''ll come back with better > questions.Ok -- depending on how you want to organize your network, you could be looking at the two-interface or three-interface QuickStart Guide or possibly the Shorewall Setup Guide (if your firewall will be dealing with more than one public IP address). Definitely NOT the one-interface/standalone guide. Keep us informed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 16:27 -0800, Tom Eastep wrote:> Interesting -- it''s not on my FC3 ISOs and it is not on the Fedora > download server.I''ll be he got it from fedora.us. If he couldn''t upgrade the RPM using the one from shorewall.net or not able to rebuild it, he was definitely doing something wrong. -- David Hollis <dhollis@davehollis.com>