Shorewall users - Oct 2006 - Shorewall will not start without a 'shorewall restore standard'

I don''t know what I did, but I can no longer start Shorewall after a
reboot
until I have done a restore of the ipsets.  Is the only solution a removal 
and reinstallation of Shorewall?

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Pollywog wrote:
> I don''t know what I did, but I can no longer start Shorewall after
a reboot
> until I have done a restore of the ipsets.  Is the only solution a removal 
> and reinstallation of Shorewall?
> 
>
Without knowing what your problem is, how could we possibly answer that
question? But I can tell you that removal and reinstallation of
Shorewall is a really silly idea because you won''t know how you got
into
this mess or how to get out if it in the future. And it may not solve
your problem! So let''s determine what the problem is.

In general, after a reboot your ipsets must be loaded before Shorewall
will start. There are several ways to do that

a) /etc/shorewall/ipsets.
b) An init script that runs before Shorewall starts.
c) Code in /etc/shorewall/init
d) ...

So which mechanism do you believe that you are using?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Wednesday 25 October 2006 23:50, Tom Eastep wrote:
> Pollywog wrote:
> > I don''t know what I did, but I can no longer start Shorewall
after a
> > reboot until I have done a restore of the ipsets.  Is the only
solution a
> > removal and reinstallation of Shorewall?
>
> Without knowing what your problem is, how could we possibly answer that
> question? But I can tell you that removal and reinstallation of
> Shorewall is a really silly idea because you won''t know how you
got into
> this mess or how to get out if it in the future. And it may not solve
> your problem! So let''s determine what the problem is.
>
> In general, after a reboot your ipsets must be loaded before Shorewall
> will start. There are several ways to do that
>
> a) /etc/shorewall/ipsets.
> b) An init script that runs before Shorewall starts.
> c) Code in /etc/shorewall/init
> d) ...
>
It was working until a few hours ago, so something I did must have messed 
things up and I did not mess with the scripts.  I am using Shorewall from a 
Debian (Etch) package and Shorewall starts from /etc/init.d/shorewall

This is from Shorewall''s log:

Setting up Blacklisting...
   Blacklisting enabled on eth0:0.0.0.0/0
iptables v1.3.5: Set Blacklistnets doesn''t exist.

Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/usr/local/sbin/iptables -A blacklst -m set --set 
Blacklistnets src,dst -p tcp --dport 22 -j DROP" Failed
Disabling IPV6...

The error goes away once I restore ipsets with

shorewall restore standard

and restart Shorewall.  You are right, if I just reinstall, I might make the 
same mistake again later.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Pollywog wrote:
> On Wednesday 25 October 2006 23:50, Tom Eastep wrote:
>> Pollywog wrote:
>>> I don''t know what I did, but I can no longer start
Shorewall after a
>>> reboot until I have done a restore of the ipsets.  Is the only
solution a
>>> removal and reinstallation of Shorewall?
>> Without knowing what your problem is, how could we possibly answer that
>> question? But I can tell you that removal and reinstallation of
>> Shorewall is a really silly idea because you won''t know how
you got into
>> this mess or how to get out if it in the future. And it may not solve
>> your problem! So let''s determine what the problem is.
>>
>> In general, after a reboot your ipsets must be loaded before Shorewall
>> will start. There are several ways to do that
>>
>> a) /etc/shorewall/ipsets.
>> b) An init script that runs before Shorewall starts.
>> c) Code in /etc/shorewall/init
>> d) ...
>>
> 
> It was working until a few hours ago, so something I did must have messed 
> things up and I did not mess with the scripts.  I am using Shorewall from a
> Debian (Etch) package and Shorewall starts from /etc/init.d/shorewall
> 
> This is from Shorewall''s log:
> 
> Setting up Blacklisting...
>    Blacklisting enabled on eth0:0.0.0.0/0
> iptables v1.3.5: Set Blacklistnets doesn''t exist.
> 
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/usr/local/sbin/iptables -A blacklst -m set --set 
> Blacklistnets src,dst -p tcp --dport 22 -j DROP" Failed
> Disabling IPV6...
> 
> The error goes away once I restore ipsets with
> 
> shorewall restore standard
> 
> and restart Shorewall.  You are right, if I just reinstall, I might make
the
> same mistake again later.
I would create /etc/shorewall/ipsets as described in the Shorewall
ipsets document.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thursday 26 October 2006 00:01, Tom Eastep wrote:

> >
> > and restart Shorewall.  You are right, if I just reinstall, I might
make
> > the same mistake again later.
>
> I would create /etc/shorewall/ipsets as described in the Shorewall
> ipsets document.
I was about to do that when I discovered the problem.

thanks


8)

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Thursday 26 October 2006 00:01, Tom Eastep wrote:
> I would create /etc/shorewall/ipsets as described in the Shorewall
> ipsets document.
>
> -Tom
Thanks, that seems to have worked.  I don''t know why things were
working
earlier without /etc/shorewall/ipsets  and creating that file seemed as 
though it was optional.


8)


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642