I have compiled 4 diferent versions of the kernel 2.4.20-28, 2-4-25, 2-4-32 and 2.6.15.3 to the first I installed patch o matic to the last one no but I cant seem to get CONNMARK Target: Not available Im using version 1.3.5 of iptables Can some one give me some advice on what kernel to run or what to do. Thaks a lot Fernando Rodriguez V.
Fernando Rodriguez wrote:> > I have compiled 4 diferent versions of the kernel 2.4.20-28, 2-4-25, 2-4-32 > and 2.6.15.3 to the first I installed patch o matic to the last one no but I > cant seem to get > > CONNMARK Target: Not available > > Im using version 1.3.5 of iptables > > Can some one give me some advice on what kernel to run or what to do. > > Thaks a lot > > > Fernando Rodriguez V. > > > >I told you what you really need. is your choice if you still want to waste your time.
On Tuesday 07 February 2006 19:04, Cristian Rodriguez wrote:> Fernando Rodriguez wrote: > > I have compiled 4 diferent versions of the kernel 2.4.20-28, 2-4-25, > > 2-4-32 and 2.6.15.3 to the first I installed patch o matic to the last > > one no but I cant seem to get > > > > CONNMARK Target: Not available > > > > Im using version 1.3.5 of iptables > > > > Can some one give me some advice on what kernel to run or what to do. > > > > Thaks a lot > > > > > > Fernando Rodriguez V. > > I told you what you really need. is your choice if you still want to > waste your time.I agree -- I''m not wasting my time with this report. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian & Tom, I have downloaded suse 10, do you have any recomendations for the installation? I also downloaded suse 10 beta3 disk 1 Thanks a lot for your help. -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Cristian Rodriguez Enviado el: Martes, 07 de Febrero de 2006 09:05 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] CONNMARK Target: Not available Fernando Rodriguez wrote:> > I have compiled 4 diferent versions of the kernel 2.4.20-28, 2-4-25,2-4-32> and 2.6.15.3 to the first I installed patch o matic to the last one no butI> cant seem to get > > CONNMARK Target: Not available > > Im using version 1.3.5 of iptables > > Can some one give me some advice on what kernel to run or what to do. > > Thaks a lot > > > Fernando Rodriguez V. > > > >I told you what you really need. is your choice if you still want to waste your time. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 08 February 2006 06:12, Fernando Rodriguez wrote:> Cristian & Tom, > > I have downloaded suse 10, do you have any recomendations for the > installation?I don''t remember the choices offered when installing SuSE but as I recall, just a vanilla desktop install includes everything you need for Shorewall. Be sure to disable the SuSE firewall during installation if you intend to run Shorewall on the box.> > I also downloaded suse 10 beta3 disk 1I would avoid 10.1 Beta3 -- SuSE are expecting at least 2 more Betas and there are still an unusually high rate of problem reports against B3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks Tom, I Hill install SUSE 10 i will start testing again to make a dual DSL. Thanks for your help -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: MiƩrcoles, 08 de Febrero de 2006 09:01 a.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] CONNMARK Target: Not available On Wednesday 08 February 2006 06:12, Fernando Rodriguez wrote:> Cristian & Tom, > > I have downloaded suse 10, do you have any recomendations for the > installation?I don''t remember the choices offered when installing SuSE but as I recall, just a vanilla desktop install includes everything you need for Shorewall. Be sure to disable the SuSE firewall during installation if you intend to run Shorewall on the box.> > I also downloaded suse 10 beta3 disk 1I would avoid 10.1 Beta3 -- SuSE are expecting at least 2 more Betas and there are still an unusually high rate of problem reports against B3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Tom and Fernando are probably both right that it is a waste of time to work with RH8. RH8 is about 4 years old by now, so unless you''ve got something running on your firewall that you can''t move to another distro, I would dump RH8. IIRC, FC4 doesn''t support CONNMARK out of the box. Neither does Debian 3.1. To get CONNMARK working you''ll have to do a lot of work: install kernel and iptables sources, install patch-o-matic, run pom to patch the kernel and iptables sources, configure your kernel to include CONNMARK, re-compile the kernel, re-compile iptables, install the new kernel, and install the new iptables. To complicate things further, your distro may install iptables in a not-so-standard location, so you may need to fiddle around to get your new version working. IMO, all these steps are much harder than just using a distro that supports CONNMARK out of the box. For what it''s worth, I took the hard route and tried FC4 and Debian 3.1 (neither of which support CONNMARK out of the box). Eventually I got Debian 3.1 to work, but if I had known that SUSE worked out of the box, I would have used it from day 1. RUSSEL RILEY ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, February 07, 2006 8:13 PM Subject: Re: [Shorewall-users] CONNMARK Target: Not available ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Russel wrote:> Tom and Fernando are probably both right that it is a waste of time to > work with RH8. RH8 is about 4 years old by now, so unless you''ve got > something running on your firewall that you can''t move to another > distro, I would dump RH8.How is the 3-in-one working? My firewalls are very old, P1 233 or less, I don''t recompile anything if I don''t have too. ;-)> > IIRC, FC4 doesn''t support CONNMARK out of the box. Neither does Debian > 3.1. >Sorry Russel, I have to call BS.... Maybe the kernel or iptables that was first installed didn''t have the support, sorry was abit slow to upgrade to fc4, not totally sure. All kernels that I have and are later than 2.6.10 do have the support, even for FC3. See for your self: [jerry@shore ~]$ locate CONNMARK.ko /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.770_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.11-1.27_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1447_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1456_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1387_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.13-1.1526_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1390_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.770_14.rhfc3.at/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.766_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.760_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.11-1.14_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko You don''t run an un-updated distro do you? The support might just be an update away.> To get CONNMARK working you''ll have to do a lot of work: install kernel > and iptables sources, install patch-o-matic, run pom to patch the kernel > and iptables sources, configure your kernel to include CONNMARK, > re-compile the kernel, re-compile iptables, install the new kernel, and > install the new iptables. To complicate things further, your distro may > install iptables in a not-so-standard location, so you may need to > fiddle around to get your new version working. IMO, all these steps are > much harder than just using a distro that supports CONNMARK out of the > box. For what it''s worth, I took the hard route and tried FC4 and > Debian 3.1 (neither of which support CONNMARK out of the box). > Eventually I got Debian 3.1 to work, but if I had known that SUSE worked > out of the box, I would have used it from day 1. > >See above, all I did was a yum update and "poof" instant support. [root@shore jerry]# /sbin/shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Jerry - The 3-in-1 is working great. (Mostly thanks to your input.) I''ve made some changes and expanded its functionality a bit, but everything is what I want. At least everything is good for now. There are more future upgrades in the works :-)>> IIRC, FC4 doesn''t support CONNMARK out of the box. Neither does >> Debian 3.1. >> > Sorry Russel, I have to call BS....I guess I should have been more specific. By out of the box, I meant right off the installation CD without any updates. Also, I have run mostly just 2.4 kernels (all though I don''t remember why now).> You don''t run an un-updated distro do you? The support might just be > an update away.I have kept my distro updated (Debian), but using apt instead of yum. I''m mostly staying in the stable branch for now.> My firewalls are very old, P1 233 or less, I don''t recompile anything > if I don''t have too. ;-)My firewall is a Celeron 333, so not too fast either. I used MS Virtual PC running Debian on my main desktop (Athlon XP 2800+) to re-compile the kernel for CONNMARK support. It took a while to setup, but the time I saved in trying to recompile 5-6 times was well worth it. If I had it all to do over, I would definately go for something that didn''t require re-compiling. RUSSEL RILEY ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Wednesday, February 08, 2006 10:38 AM Subject: Re: [Shorewall-users] CONNMARK Target: Not available> Russel wrote: >> Tom and Fernando are probably both right that it is a waste of time >> to work with RH8. RH8 is about 4 years old by now, so unless you''ve >> got something running on your firewall that you can''t move to another >> distro, I would dump RH8. > How is the 3-in-one working? > > My firewalls are very old, P1 233 or less, I don''t recompile anything > if I don''t have too. ;-) > >> >> IIRC, FC4 doesn''t support CONNMARK out of the box. Neither does >> Debian 3.1. >> > Sorry Russel, I have to call BS.... > > Maybe the kernel or iptables that was first installed didn''t have the > support, sorry was abit slow to upgrade to fc4, not totally sure. All > kernels that I have and are later than 2.6.10 do have the support, > even for FC3. See for your self: > > [jerry@shore ~]$ locate CONNMARK.ko > > /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.10-1.770_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.11-1.27_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.12-1.1447_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.12-1.1456_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.12-1.1387_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.13-1.1526_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.12-1.1390_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.10-1.770_14.rhfc3.at/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.10-1.766_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.10-1.760_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > /lib/modules/2.6.11-1.14_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko > > You don''t run an un-updated distro do you? The support might just be > an update away. > >> To get CONNMARK working you''ll have to do a lot of work: install >> kernel and iptables sources, install patch-o-matic, run pom to patch >> the kernel and iptables sources, configure your kernel to include >> CONNMARK, re-compile the kernel, re-compile iptables, install the new >> kernel, and install the new iptables. To complicate things further, >> your distro may install iptables in a not-so-standard location, so >> you may need to fiddle around to get your new version working. IMO, >> all these steps are much harder than just using a distro that >> supports CONNMARK out of the box. For what it''s worth, I took the >> hard route and tried FC4 and Debian 3.1 (neither of which support >> CONNMARK out of the box). Eventually I got Debian 3.1 to work, but if >> I had known that SUSE worked out of the box, I would have used it >> from day 1. >> >> > > See above, all I did was a yum update and "poof" instant support. > > [root@shore jerry]# /sbin/shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available > > Jerry > > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642