Hi list
I''am running Shorewall 2.4.1 on an Trustix Linux distribution, kernel
2.6.11. Iptables 1.3.1 also tried latest version 1.3.2 of iptables.
I''am having problems with starting Shorewall. It complains about:
---
iptables v1.3.1: Unknown arg `--icmp-type''
Try `iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/sbin/iptables -A AllowICMPs -p icmp --icmp-type
fragmentation-needed -j ACCEPT" Failed
---
What to do? Is it iptables lacking support for --icmp-type or is it a
misconfig of Shorewall?
Best regards
/jsj
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> Hi list > > I''am running Shorewall 2.4.1 on an Trustix Linux distribution, kernel > 2.6.11. Iptables 1.3.1 also tried latest version 1.3.2 of iptables. > > I''am having problems with starting Shorewall. It complains about: > > --- > iptables v1.3.1: Unknown arg `--icmp-type'' > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A AllowICMPs -p icmp --icmp-type > fragmentation-needed -j ACCEPT" Failed > --- > > What to do? Is it iptables lacking support for --icmp-type or is it a > misconfig of Shorewall? >can be both. please post the compressed output of /sbin/shorewall trace start 2> /tmp/trace
> Cristian Rodriguez wrote: > can be both. please post the compressed output of > > /sbin/shorewall trace start 2> /tmp/traceWhoops. Message is to large for Shorewall mailinglist. Please take an look at http://jannic.dk/trace.txt Best regards /jsj ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:>> Cristian Rodriguez wrote: >> can be both. please post the compressed output of >> >> /sbin/shorewall trace start 2> /tmp/trace > > Whoops. Message is to large for Shorewall mailinglist. Please take an > look at http://jannic.dk/trace.txt >The command that is failing on your system is valid. Furthermore, it has been a valid command for as long as I''ve been working with iptables.>From the console on the system I''m writing this on:ursa:/var/log/YaST2 # iptables -N AllowICMPs ursa:/var/log/YaST2 # iptables -A AllowICMPs -p icmp --icmp-type fragmentation-needed -j ACCEPT ursa:/var/log/YaST2 # What happens when you try that? (from a root prompt) If it works from a root prompt then what does "which iptables" return? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>Tom Eastep wrote:> What happens when you try that? (from a root prompt) If it works from > a root prompt then what does "which iptables" return? Exactly the same: root@fw ~# iptables -N AllowICMPs root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type fragmentation-needed -j ACCEPT iptables v1.3.2: Unknown arg `--icmp-type'' Try `iptables -h'' or ''iptables --help'' for more information. It''s really confusing me! But how come? I think, but not sure, that iptables is lacking support for --icmp-type. Don''t know how to enable it. /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:>>Tom Eastep wrote: >> What happens when you try that? (from a root prompt) If it works from >> a root prompt then what does "which iptables" return? > > Exactly the same: > > root@fw ~# iptables -N AllowICMPs > root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type > fragmentation-needed -j ACCEPT > iptables v1.3.2: Unknown arg `--icmp-type'' > Try `iptables -h'' or ''iptables --help'' for more information. > > It''s really confusing me! But how come? I think, but not sure, that > iptables is lacking support for --icmp-type. Don''t know how to enable it. >What happens if you type "iptables -p icmp --help"? Here''s what you should see (after the standard iptables syntax info): ICMP v1.3.1 options: --icmp-type [!] typename match icmp type (or numeric type or type/code) Valid ICMP Types: any echo-reply (pong) destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request (ping) router-advertisement router-solicitation time-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply gateway:/etc/shorewall# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Jannic S. Jensen wrote: >>>Tom Eastep wrote: >>>What happens when you try that? (from a root prompt) If it works from >>>a root prompt then what does "which iptables" return? >>Exactly the same: >> >>root@fw ~# iptables -N AllowICMPs >>root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type >>fragmentation-needed -j ACCEPT >>iptables v1.3.2: Unknown arg `--icmp-type'' >>Try `iptables -h'' or ''iptables --help'' for more information. >> >>It''s really confusing me! But how come? I think, but not sure, that >>iptables is lacking support for --icmp-type. Don''t know how to enable it. >> > > What happens if you type "iptables -p icmp --help"? Here''s what you should > see (after the standard iptables syntax info):Also, your iptables library directory (usually /usr/lib/iptables but might also be /lib/iptables) should contain a shared library named libipt_icmp.so). If it doesn''t then your iptables wasn''t built with icmp support, something I wasn''t aware was even possible. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> >Tom Eastep wrote: > > What happens when you try that? (from a root prompt) If it works from > > a root prompt then what does "which iptables" return? > > Exactly the same: > > root@fw ~# iptables -N AllowICMPs > root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type > fragmentation-needed -j ACCEPT > iptables v1.3.2: Unknown arg `--icmp-type'' > Try `iptables -h'' or ''iptables --help'' for more information. > > It''s really confusing me! But how come? I think, but not sure, that > iptables is lacking support for --icmp-type. Don''t know how to enable it. >Sounds like a iptables/kernel header mismatch to me. http://www.shorewall.net/FAQ.htm#faq27a Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jerry Vonau wrote:> >>>Tom Eastep wrote: >> > What happens when you try that? (from a root prompt) If it works from >> > a root prompt then what does "which iptables" return? >> >>Exactly the same: >> >>root@fw ~# iptables -N AllowICMPs >>root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type >>fragmentation-needed -j ACCEPT >>iptables v1.3.2: Unknown arg `--icmp-type'' >>Try `iptables -h'' or ''iptables --help'' for more information. >> >>It''s really confusing me! But how come? I think, but not sure, that >>iptables is lacking support for --icmp-type. Don''t know how to enable it. >> > > Sounds like a iptables/kernel header mismatch to me. > http://www.shorewall.net/FAQ.htm#faq27aI believe it is an iptables problem only. Notice the similarity of the error messages: gateway:/etc/shorewall# iptables -A OUTPUT -p tcp --foo-bar 6 -j ACCEPT iptables v1.3.1: Unknown arg `--foo-bar'' Try `iptables -h'' or ''iptables --help'' for more information. gateway:/etc/shorewall# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> What happens if you type "iptables -p icmp --help"? Here''s what you > should > see (after the standard iptables syntax info):Nothing about icmp: --- root@fw ~# iptables -p icmp --help iptables v1.3.2 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Commands: Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum Delete rule rulenum (1 = first) from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) --replace -R chain rulenum Replace rule rulenum (1 = first) in chain --list -L [chain] List the rules in a chain or all chains --flush -F [chain] Delete all rules in chain or all chains --zero -Z [chain] Zero counters in chain or all chains --new -N chain Create a new user-defined chain --delete-chain -X [chain] Delete a user-defined chain --policy -P chain target Change policy on chain to target --rename-chain -E old-chain new-chain Change chain name, (moving any references) Options: --proto -p [!] proto protocol: by number or name, eg. `tcp'' --source -s [!] address[/mask] source specification --destination -d [!] address[/mask] destination specification --in-interface -i [!] input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports --out-interface -o [!] output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter'') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe=<command> try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version. root@fw ~# Ups :( /Jannic On Jul 19, 2005, at 6:49 PM, Tom Eastep wrote:> Jannic S. Jensen wrote: > >>> Tom Eastep wrote: >>> What happens when you try that? (from a root prompt) If it works >>> from >>> a root prompt then what does "which iptables" return? >>> >> >> Exactly the same: >> >> root@fw ~# iptables -N AllowICMPs >> root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type >> fragmentation-needed -j ACCEPT >> iptables v1.3.2: Unknown arg `--icmp-type'' >> Try `iptables -h'' or ''iptables --help'' for more information. >> >> It''s really confusing me! But how come? I think, but not sure, that >> iptables is lacking support for --icmp-type. Don''t know how to >> enable it. >> >> > > What happens if you type "iptables -p icmp --help"? Here''s what you > should > see (after the standard iptables syntax info): > > ICMP v1.3.1 options: > --icmp-type [!] typename match icmp type > (or numeric type or type/code) > > Valid ICMP Types: > any > echo-reply (pong) > destination-unreachable > network-unreachable > host-unreachable > protocol-unreachable > port-unreachable > fragmentation-needed > source-route-failed > network-unknown > host-unknown > network-prohibited > host-prohibited > TOS-network-unreachable > TOS-host-unreachable > communication-prohibited > host-precedence-violation > precedence-cutoff > source-quench > redirect > network-redirect > host-redirect > TOS-network-redirect > TOS-host-redirect > echo-request (ping) > router-advertisement > router-solicitation > time-exceeded (ttl-exceeded) > ttl-zero-during-transit > ttl-zero-during-reassembly > parameter-problem > ip-header-bad > required-option-missing > timestamp-request > timestamp-reply > address-mask-request > address-mask-reply > gateway:/etc/shorewall# > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 19, 2005, at 7:03 PM, Tom Eastep wrote:> Also, your iptables library directory (usually /usr/lib/iptables > but might > also be /lib/iptables) should contain a shared library named > libipt_icmp.so). If it doesn''t then your iptables wasn''t built with > icmp > support, something I wasn''t aware was even possible.root@fw ~# locate libipt_icmp.so /lib/iptables/libipt_icmp.so /root/iptables-1.3.2/extensions/libipt_icmp.so /usr/local/lib/iptables/libipt_icmp.so The shared library exist. That''s som sort of progress :) /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, July 19, 2005 12:18 Subject: Re: [Shorewall-users] Shorewall and icmp-type on Trustix 3.0>I believe it is an iptables problem only. Notice the similarity of theerror>messages:>gateway:/etc/shorewall# iptables -A OUTPUT -p tcp --foo-bar 6 -j ACCEPT >iptables v1.3.1: Unknown arg `--foo-bar'' >Try `iptables -h'' or ''iptables --help'' for more information. >gateway:/etc/shorewall#I see that now, after your other post about being able to exclude icmp support (??!!) Either way, iptables would need to be re-compiled. Don''t need the kernel sources for that? Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 19, 2005, at 7:07 PM, Jerry Vonau wrote:> Sounds like a iptables/kernel header mismatch to me. > http://www.shorewall.net/FAQ.htm#faq27aThe steps I have been through is: 1) Use the kernel-source from Trustix. (kernel-source-2.6.11.12-2tr) 2) Downloaded newest iptables from netfilter.org (iptables-1.3.2) 2a) Then in iptables directory: make KERNEL_DIR=/usr/src/linux 2b) And make install KERNEL_DIR=/usr/src/linux 2c) And finally make install-devel 3) Make new kernel and copy to /boot. Still no progress. Will try one more time and report back. Stock iptables (1.3.1) from Trustix have same problems. Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> > On Jul 19, 2005, at 7:03 PM, Tom Eastep wrote: > >> Also, your iptables library directory (usually /usr/lib/iptables but >> might >> also be /lib/iptables) should contain a shared library named >> libipt_icmp.so). If it doesn''t then your iptables wasn''t built with icmp >> support, something I wasn''t aware was even possible. > > root@fw ~# locate libipt_icmp.so > /lib/iptables/libipt_icmp.so > /root/iptables-1.3.2/extensions/libipt_icmp.so > /usr/local/lib/iptables/libipt_icmp.so >But I seriously doubt that is where iptables is looking for its extensions. Is this version of iptables something that you built yourself? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jerry Vonau wrote:> Either way, iptables would need to be re-compiled. Don''t need the kernel > sources for > that?You need to have kernel source in order to compile iptables. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic S. Jensen wrote:> On Jul 19, 2005, at 7:07 PM, Jerry Vonau wrote: > >> Sounds like a iptables/kernel header mismatch to me. >> http://www.shorewall.net/FAQ.htm#faq27a > > The steps I have been through is: > > 1) Use the kernel-source from Trustix. (kernel-source-2.6.11.12-2tr) > 2) Downloaded newest iptables from netfilter.org (iptables-1.3.2) > 2a) Then in iptables directory: make KERNEL_DIR=/usr/src/linux > 2b) And make install KERNEL_DIR=/usr/src/linux > 2c) And finally make install-devel > 3) Make new kernel and copy to /boot. >Ok -- you didn''t uninstall the faulty iptables from Trustix!! It''s still in /sbin/iptables whereas the ones you''ve been madly compiling and installing are in /usr/local/sbin/iptables. Shorewall us using /sbin/iptables (as the error messages clearly show). Set the IPTABLES variable in shorewall.conf to /usr/local/sbin/iptables and modify the PATH variable to have /usr/local/sbin BEFORE /sbin (this is necessary to get the correct versions of iptables-save and iptables-restore). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic wrote on 19/07/2005 15:06:46:> On Jul 19, 2005, at 7:07 PM, Jerry Vonau wrote: > > > Sounds like a iptables/kernel header mismatch to me. > > http://www.shorewall.net/FAQ.htm#faq27a > > The steps I have been through is: > > 1) Use the kernel-source from Trustix. (kernel-source-2.6.11.12-2tr) > 2) Downloaded newest iptables from netfilter.org (iptables-1.3.2) > 2a) Then in iptables directory: make KERNEL_DIR=/usr/src/linux > 2b) And make install KERNEL_DIR=/usr/src/linux > 2c) And finally make install-devel > 3) Make new kernel and copy to /boot. > > Still no progress. Will try one more time and report back. >did you just installed the kernel or have you done at least a make mrproper make menuconfig and saved the dependencies? my humble experience with messing with iptables says that this is rather necessary... cheers, -- Eduardo Ferreira
On Jul 19, 2005, at 8:09 PM, Tom Eastep wrote:> You need to have kernel source in order to compile iptables.Thanks. I was start to think I was completly out of bounch. /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 19, 2005, at 8:16 PM, Tom Eastep wrote:> Ok -- you didn''t uninstall the faulty iptables from Trustix!! It''s > still in > /sbin/iptables whereas the ones you''ve been madly compiling and > installing > are in /usr/local/sbin/iptables. Shorewall us using /sbin/iptables > (as the > error messages clearly show).Actually not first. But on my second try I did. In my third try in reinstall iptables rpm from Trustix and I had forgot about it. But now it is gone. I have doublecheck the files are gone. make install KERNEL_DIR=/usr/src/linux install them correctly.> Set the IPTABLES variable in shorewall.conf to /usr/local/sbin/ > iptables and > modify the PATH variable to have /usr/local/sbin BEFORE /sbin (this is > necessary to get the correct versions of iptables-save and iptables- > restore).I have in fact corrected the path in iptables Makefil so it install in /lib /sbin. I "dislike" using /usr/local/.... Now I''am compiling the new kernel and will be back when it is complete and the machine is rebooted. Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 19, 2005, at 8:18 PM, Eduardo Ferreira wrote:> make mrproper > make menuconfigI normally do: make clean make menuconfig make make modules make modules_install and then manually copies System.map, bzImage and creates the initrd afterwards to /boot> and saved the dependencies? my humble experience with messing with > iptables says that this is rather necessary...Saved the dependencies? I not sure about this one? Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> > I have in fact corrected the path in iptables Makefil so it install in > /lib /sbin. I "dislike" using /usr/local/....So, is /lib/iptables/libipt_icmp.so being installed? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic wrote on 19/07/2005 15:32:55:> On Jul 19, 2005, at 8:18 PM, Eduardo Ferreira wrote: > > make mrproper > > make menuconfig > > I normally do: > make clean > make menuconfig > make > make modules > make modules_install > > and then manually copies System.map, bzImage and creates the initrd > afterwards to /boot > > > and saved the dependencies? my humble experience with messing with > > iptables says that this is rather necessary... > > Saved the dependencies? I not sure about this one? >never mind. what you did saved them when you quit menuconfig... cheers, -- Eduardo Ferreira
On Jul 19, 2005, at 8:45 PM, Tom Eastep wrote:> So, is /lib/iptables/libipt_icmp.so being installed?Ohh yes :) root@fw ~# file /lib/iptables/libipt_icmp.so /lib/iptables/libipt_icmp.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped Waiting on kernel/modules compiling. I do have to reboot the machine with the new kernel? /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 19, 2005, at 8:56 PM, Jannic S. Jensen wrote:> Waiting on kernel/modules compiling. I do have to reboot the > machine with the new kernel?I''am really confused. It make no sense. There is no change. The shared library is in place. The new kernel is booted (uname -a) shows the correct info. But iptables -p icmp --help do not show anything about icmp. iptables -p tcp --help, iptables -p udp--help looks fine. Any hints enabling icmp support? Is it because of the 2.6 kernel? Is it possible to completely disable all icmp support from the distribution? best regards /Jannic By the way; Shorewall is great :) ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> > I''am really confused. It make no sense. There is no change. The shared > library is in place. The new kernel is booted (uname -a) shows the > correct info. But iptables -p icmp --help do not show anything about icmp. > > iptables -p tcp --help, iptables -p udp--help looks fine. Any hints > enabling icmp support? Is it because of the 2.6 kernel? Is it possible > to completely disable all icmp support from the distribution? >I think you are asking the wrong list -- It''s pretty clear that no one here has ever seen this problem before. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic S. Jensen wrote:>> Cristian Rodriguez wrote: >> can be both. please post the compressed output of >> >> /sbin/shorewall trace start 2> /tmp/trace > > Whoops. Message is to large for Shorewall mailinglist. Please take an > look at http://jannic.dk/trace.txt > > Best regards > /jsjBTW.. if you are using the default iptables and kernel from trustix.. you should want to issue a bug report... https://bugs.trustix.org/
Cristian Rodriguez wrote: > BTW.. if you are using the default iptables and kernel from trustix.. > you should want to issue a bug report... I started out with the Trustix mailinglist with this problem, but they initallly tought it was an Shorewall problem. But after these e-mails I''am now more and more over in that iptables are buggy. But the "funny" part is that I can''t even getting it working with iptables source :( So, yes indeed I will fill out an bug-report. Did it once before getting CONNMARK support in kernel :) /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> I think you are asking the wrong list -- It''s pretty clear that no one> here has ever seen this problem before. Thanks :) I''ll go back to Trustix mailinglist and/or netfilter mailinglist. Thanks for great community. I''ll report back when it''s up and running. Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> > > But the "funny" part is that I can''t even getting it working with > iptables source :( >That part has me baffled also. You might try posting on the netfilter list; just the "-p icmp --help" failure should convince anyone that this is an iptables-related issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic S. Jensen wrote:>> I think you are asking the wrong list -- It''s pretty clear that no one >> here has ever seen this problem before. > > Thanks :) I''ll go back to Trustix mailinglist and/or netfilter mailinglist. > > Thanks for great community. I''ll report back when it''s up and running. >Please do -- hopefully we can help the next person to see something like this. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote on 19/07/2005 16:57:56:> Jannic S. Jensen wrote: > > > > > > But the "funny" part is that I can''t even getting it working with > > iptables source :( > > > > That part has me baffled also. You might try posting on the netfilter > list; just the "-p icmp --help" failure should convince anyone that this > is an iptables-related issue. >But really, is Trustix a requirement? couldn''t another distro be used? $0.02 -- Eduardo Ferreira
On Jul 19, 2005, at 10:05 PM, Eduardo Ferreira wrote:> But really, is Trustix a requirement? couldn''t another distro be used?Not really, but it''s my favorite distribution. It takes up no space, it''s secure, and Trustix is really quick with security patches. I have several servers running Trustix and used the distribution for quite some years now. Love the swup - Software Updater ;) Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:>> I think you are asking the wrong list -- It''s pretty clear that no one >> here has ever seen this problem before. > > Thanks :) I''ll go back to Trustix mailinglist and/or netfilter mailinglist. > > Thanks for great community. I''ll report back when it''s up and running.Paul Gear just came up with a good idea on the IRC channel -- he suggests that you strace the failing command. e.g., strace iptables -p icmp --help 2> /tmp/trace and look at /tmp/trace. You should see an attempt to open libipt_icmp.so. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jannic S. Jensen wrote:> On Jul 19, 2005, at 10:05 PM, Eduardo Ferreira wrote: > >> But really, is Trustix a requirement? couldn''t another distro be used? > > > Not really, but it''s my favorite distribution. It takes up no space, > it''s secure, and Trustix is really quick with security patches. I have > several servers running Trustix and used the distribution for quite > some years now. Love the swup - Software Updater ;)Jannic, We''ve just been discussing this on the #shorewall channel on irc.freenode.net - could you try running strace iptables -p icmp --help That would at least tell us where it''s looking for libipt_icmp.so. -- Paul <http://paulgear.webhop.net> -- Did you know? Many viruses specifically target Microsoft Outlook and Outlook Express. You can help to keep your computer free of viruses by using one of the more secure alternatives from <http://mozilla.org>.
On Jul 19, 2005, at 10:37 PM, Paul Gear wrote:> That would at least tell us where it''s looking for libipt_icmp.so.I''ve made the file available on http://jannic.dk/traceiptables.txt Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Tom Eastep wrote: > I don''t see anything else useful in your strace. Hope the other MLs > can help you. I''ve been in contact with the Trustix mailinglist again. The problem is related to IBM stack protection and the modules don''t load with stack protection. As an examble try iptables -m icmp --help. For further information look at https://bugs.trustix.org/show_bug.cgi?id=1096 and in general Trustix mailinglist. Best regards /Jannic ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Jannic S. Jensen wrote:> On Jul 19, 2005, at 10:37 PM, Paul Gear wrote: > >> That would at least tell us where it''s looking for libipt_icmp.so. > > I''ve made the file available on http://jannic.dk/traceiptables.txt >trustix released updates for iptables,kernel and other components today. update your distro.