Shorewall users - Jun 2005 - proxy_arp: Permission denied

Dear All,

I have a problem to start Shorewall on a Debian 1.3 Linux box. Here is 
some info:

Output of ''/sbin/shorewall trace start 2> /tmp/trace'' is in
the attachment.

Shorewall version: 2.2.3

Output of ''ip addr show'':
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:50:fc:64:c2:52 brd ff:ff:ff:ff:ff:ff
     inet 81.17.202.85/26 brd 81.17.202.127 scope global secondary 
eth0:chlorine
5: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
     link/ether 00:48:54:81:08:d3 brd ff:ff:ff:ff:ff:ff

Output of ''ip route show'':
81.17.202.64/26 dev eth0  proto kernel  scope link  src 81.17.202.70
default via 81.17.202.65 dev eth0

The actual error messages are:

/usr/share/shorewall/firewall: line 2179: 
/proc/sys/net/ipv4/conf/all/proxy_arp: Permission denied

iptables v1.2.11: can''t initialize iptables table `filter'':
Permission
denied (you must be root)

ERROR: Command "/sbin/iptables -P INPUT DROP" Failed
/usr/share/shorewall/firewall: line 2179: 
/proc/sys/net/ipv4/conf/all/proxy_arp: Permission denied

I run shorewall as root, so the message ''you must be root''
applies. I
suspect that the error is arising from Debian. I have used the same set 
on a Slackware and Mandrake/Mandriva box, where things are working fine.

The Debian machine is termed a ''virtual server'' where the
Debian is
imposed to me, so I cannot change that. The linux there runs kernel 
2.4.26-vs1.27. The iptables is the latest version (according to Debian 
that is).

Hopefully somebody has seen this same problem and knows what to do,
Andre

Hi.
> 
> I run shorewall as root, so the message ''you must be
root'' applies. I
> suspect that the error is arising from Debian. I have used the same set 
> on a Slackware and Mandrake/Mandriva box, where things are working fine.
> 
Are these also vservers?
> The Debian machine is termed a ''virtual server'' where the
Debian is
> imposed to me, so I cannot change that. The linux there runs kernel 
> 2.4.26-vs1.27. The iptables is the latest version (according to Debian 
> that is).
Did you ask on the vserver ML whether it is possible to have a firewall
inside a vserver?


Best,
Gilles

Gilles wrote:
> Hi.
> 
> 
>>I run shorewall as root, so the message ''you must be
root'' applies. I
>>suspect that the error is arising from Debian. I have used the same set 
>>on a Slackware and Mandrake/Mandriva box, where things are working fine.
>>
> 
> 
> Are these also vservers?
Virtual servers, you mean? I would assume that thay they essentially 
just have a cluster of PC that they rent to others including me.
> 
> 
>>The Debian machine is termed a ''virtual server'' where
the Debian is
>>imposed to me, so I cannot change that. The linux there runs kernel 
>>2.4.26-vs1.27. The iptables is the latest version (according to Debian 
>>that is).
> 
> 
> Did you ask on the vserver ML whether it is possible to have a firewall
> inside a vserver?
Actually no, but I will find that out. The machine seems wide open now. 
Many ports are available (checked that with nmap). It may (should!) be 
that the gateway has a central firewall that protects the cluster. 
Still, it should be possible to have a local firewall. I see in the log 
files that there are attempts to log onto the machine.

Any idea what is causing the errors. It doesn''t make sense to me.
> 
> 
> Best,
> Gilles
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hello.
> >>I run shorewall as root, so the message ''you must be
root'' applies. I
> >>suspect that the error is arising from Debian. I have used the same
set
> >>on a Slackware and Mandrake/Mandriva box, where things are working
fine.
> >>
> >
> >
> >Are these also vservers?
> 
> Virtual servers, you mean? I would assume that thay they essentially 
> just have a cluster of PC that they rent to others including me.
> 
Actually no: From the look of the kernel name (2.4.26-vs1.27), I indeed mean
"vserver" which stands for, well, virtual server, but has no relation
to a
cluster of actual machines. See:

  http://www.13thfloor.at/vserver/project/


Gilles

Gilles wrote:
> Hello.
> 
> 
>>>>I run shorewall as root, so the message ''you must be
root'' applies. I
>>>>suspect that the error is arising from Debian. I have used the
same set
>>>>on a Slackware and Mandrake/Mandriva box, where things are
working fine.
>>>>
>>>
>>>
>>>Are these also vservers?
>>
>>Virtual servers, you mean? I would assume that thay they essentially 
>>just have a cluster of PC that they rent to others including me.
>>
> 
> 
> Actually no: From the look of the kernel name (2.4.26-vs1.27), I indeed
mean
> "vserver" which stands for, well, virtual server, but has no
relation to a
> cluster of actual machines. See:
> 
>   http://www.13thfloor.at/vserver/project/
So, it appears indeed that the server cannot run its own firewall. There 
is a central firewall that is now being configured to meet my requirements.

Thanks for your help,
Andre.
> 
> 
> Gilles
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Andre Juffer wrote:
> ...
>> Actually no: From the look of the kernel name (2.4.26-vs1.27), I
>> indeed mean "vserver" which stands for, well, virtual server,
but
>> has no relation to a cluster of actual machines. See:
>>   http://www.13thfloor.at/vserver/project/
> 
> 
> So, it appears indeed that the server cannot run its own firewall. There
> is a central firewall that is now being configured to meet my requirements.
Doesn''t seem like much of a virtual server technology to me if they
can''t make it seem like a real server.  Wouldn''t Xen be a
better
virtualisation technology to try?

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  If you use two dashes followed by a space as your
signature separator, good email programs will chop them off
automatically, reducing noise in email replies.

Paul Gear wrote:
> Andre Juffer wrote:
> 
>>...
>>
>>>Actually no: From the look of the kernel name (2.4.26-vs1.27), I
>>>indeed mean "vserver" which stands for, well, virtual
server, but
>>>has no relation to a cluster of actual machines. See:
>>>  http://www.13thfloor.at/vserver/project/
>>
>>
>>So, it appears indeed that the server cannot run its own firewall. There
>>is a central firewall that is now being configured to meet my
requirements.
> 
> 
> Doesn''t seem like much of a virtual server technology to me if
they
> can''t make it seem like a real server.  Wouldn''t Xen be a
better
> virtualisation technology to try?
Possible. It is unfortunately out of my control. The firewall has been 
set up in the mean time. Thanks for the advice.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Hi.
> >
> >Doesn''t seem like much of a virtual server technology to me if
they
> >can''t make it seem like a real server.  Wouldn''t Xen
be a better
> >virtualisation technology to try?
> 
> Possible. It is unfortunately out of my control. The firewall has been 
> set up in the mean time. Thanks for the advice.
> 
The purpose of the vserver patch is to enable secured execution context,
and make a single machine look *from the outside* like several servers.
See the web site, and ask on their mailing list if you want to compare the
focus/uses/advantages/drawbacks of the various technologies.

Best regards,
Gilles

Gilles wrote:
> ...
>>>Doesn''t seem like much of a virtual server technology to me
if they
>>>can''t make it seem like a real server.  Wouldn''t
Xen be a better
>>>virtualisation technology to try?
>>...
> 
> The purpose of the vserver patch is to enable secured execution context,
> and make a single machine look *from the outside* like several servers.
> See the web site, and ask on their mailing list if you want to compare the
> focus/uses/advantages/drawbacks of the various technologies.
Fair enough - i''d rather have one that makes a single machine look like
several servers from the *inside* as well (i.e. transparent to
applications).  However, this could just be due to the trembling
anticipation i felt when i got my SuSE 9.3 DVD recently.  :-)  I
haven''t
yet made any virtual machines with Xen, though.

-- 
Paul
<http://paulgear.webhop.net>
--
Did you know?  It is illegal to use your copy of Microsoft Office on
multiple computers without multiple licenses.  Why not try the free
alternative OpenOffice.org?  <http://www.openoffice.org>