I seem to be unable to get shorewall 3.0.5 working under the OpenVZ kernel. I know the problem isn''t the shorewall scripts since shorewall runs fine under the default kernel used with my distro CentOS 4.2. My question is more about what capabilities does shorewall require to work. Below are the iptables capabilities running under the OpenVZ kernel. I''ve had to recompile the kernel in order to include a few options that the default OpenVZ kernel didn''t include ie: Packet Type Match and Raw Table. However, I''m only guessing this is why I''m asking. Is the Policy Match required??? anything else??? Thanks.. NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Not available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Available ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 24 March 2006 08:19, Lee Mehlhorn wrote:> I seem to be unable to get shorewall 3.0.5 working under the OpenVZ > kernel. I know the problem isn''t the shorewall scripts since shorewall > runs fine under the default kernel used with my distro CentOS 4.2. My > question is more about what capabilities does shorewall require to > work. Below are the iptables capabilities running under the OpenVZ > kernel. I''ve had to recompile the kernel in order to include a few > options that the default OpenVZ kernel didn''t include ie: Packet Type > Match and Raw Table. However, I''m only guessing this is why I''m > asking. Is the Policy Match required??? anything else??? Thanks..Lee, The capabilities that you need depend entirely on what you are trying to do with Shorewall. For example, Policy Match is only required if you want to use the 2.6 kernel''s native IPSEC. Rather than telling us that you are "...unable to get (shorewall) working...", why don''t you tell us exactly what problems you are having and then we can tell you what you may be missing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 March 2006 09:59, Lee Mehlhorn wrote:> Hi Tom, > Thanks for the reply. I''ll try describe the problem I''m having with > Shorewall 3.0.5. First, I''ve been using Shorewall for awhile now and > find it to be I very good script. It makes things easier to setup and > admin. On my test box I''m using to test OpenVZ I first installed CentOS > 4.2 distro. After the OS installation I installed the Shorewall 3.0.5 > RPM and configured as a basic Standalone Firewall. The moment I bring > Shorewall up I have no access to the Internet??? Why??Lee, Please keep this discussion on the list -- I don''t offer one-on-one help because then I would get to solve the same problems over and over again (even worse than I do now). By keeping discussions on the list, people can search the archives and help themselves. We have very specific instructions at http://www.shorewall.net/support.htm regarding the information we need to solve these types of problems. "I have no access to the Internet" is not a problem report; it''s another way of saying "it doesn''t work".> I tested > Shorewall under the original CentOS kernel and it seems to work > fine... Just doesn''t seem to work under the OpenVZ kernel.Whatever that is... Ah -- it''s one of those virtual server thingys. Have you looked through the OpenVZ site to see if there are any considerations for using iptables/Netfilter under the host OS? If you search the Shorewall list archives and don''t find any mention of OpenVZ, it is probably the case that you are the first user that has tried to run Shorewall under OpenVZ.> > Below is my zone, interfaces, policy and rules. > > *Zones* > fw firewall > net ipv4 > > *Interfaces* > net eth0 192.168.0.150192.168.0.150 is the IP address of eth0 -- you want 192.168.0.255 (the broadcast address).> > *Policy* > fw net ACCEPT > net all DROP info > all all REJECT info > * > Rules > *ACCEPT net fw tcp 80 - > ACCEPT net fw tcp 443 - > ACCEPT net fw tcp 22 - > > As you might have guess the test box sits behind a very basic router. > Below is the results of running ifconfig under OpenVZ > > eth0 Link encap:Ethernet HWaddr 00:04:75:8F:4A:7A > inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:85332 errors:0 dropped:0 overruns:1 frame:0 > TX packets:44007 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:76098109 (72.5 MiB) TX bytes:5734488 (5.4 MiB) > Interrupt:12 Base address:0xd000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:2614 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2614 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3331073 (3.1 MiB) TX bytes:3331073 (3.1 MiB) > > venet0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 > RX packets:506 errors:0 dropped:0 overruns:0 frame:0 > TX packets:509 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:43426 (42.4 KiB) TX bytes:51918 (50.7 KiB)The venet0 device is transmitting and receiving data yet it is not mentioned in your Shorewall configuration -- that can''t be good. Try looking at the log and see what messages are being generated when you try to access the internet. If you can''t figure out the problem then please supply the information requested at the URL I mentioned above. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 24 March 2006 10:19, Tom Eastep wrote:> > Whatever that is... Ah -- it''s one of those virtual server thingys. Have > you looked through the OpenVZ site to see if there are any considerations > for using iptables/Netfilter under the host OS?From the OpenVZ FAQ: Q. My node is unaccessible through the network after reboot... A. You need to check your firewall rules. The problem is that default stateful firewall rules are not available on the host system. To make this functionality available, load the ip_conntrack module with the additional parameter "ip_conntrack_enable_ve0=1". However, this method is highly not recommended because tracking all the connection on the host system lead to performance degradation, more memory usage and also may lead to the total server inaccessibility due to reaching of the overall connection limit. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> ... > Whatever that is... Ah -- it''s one of those virtual server thingys. Have you > looked through the OpenVZ site to see if there are any considerations for > using iptables/Netfilter under the host OS? > > If you search the Shorewall list archives and don''t find any mention of > OpenVZ, it is probably the case that you are the first user that has tried to > run Shorewall under OpenVZ.Or the first one to talk about it, anyway. ;-) -- Paul <http://paulgear.webhop.net> -- Did you know? It is illegal to use your copy of Microsoft Office on multiple computers without multiple licenses. Why not try the free alternative OpenOffice.org? <http://www.openoffice.org>