hi, after i upgrade our shorewall from 3.2.9 to 3.4.1 and update all config files etc and run on the central server (we use lite on the firewalls) i''ve got the following error: ------------------------------------- # shorewall reload portal ... Creating action chain Limit iptables v1.2.11: log-level `none'' unknown Try `iptables -h'' or ''iptables --help'' for more information. Processing /etc/shorewall/servers/portal/stop ... IP Forwarding Enabled Processing /etc/shorewall/servers/portal/stopped ... /sbin/shorewall-lite: line 301: 26778 Terminated $SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart ------------------------------------- what can be the problem and how can i find the reasons? (stopped is empty, so the problems is somewhere else). thanks in advance. yours. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Farkas Levente wrote:> hi, > after i upgrade our shorewall from 3.2.9 to 3.4.1 and update all config > files etc and run on the central server (we use lite on the firewalls) > i''ve got the following error: > ------------------------------------- > # shorewall reload portal > ... > Creating action chain Limit > iptables v1.2.11: log-level `none'' unknown > Try `iptables -h'' or ''iptables --help'' for more information. > Processing /etc/shorewall/servers/portal/stop ... > IP Forwarding Enabled > Processing /etc/shorewall/servers/portal/stopped ... > /sbin/shorewall-lite: line 301: 26778 Terminated > $SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart > ------------------------------------- > what can be the problem and how can i find the reasons? (stopped is > empty, so the problems is somewhere else).The technique for analyzing these kinds of errors is still described in the Troubleshooting Guide (http://www.shorewall.net/troubleshoot.htm). And if you need to report the problem, please follow the Support Guide (http://www.shorewall.net/support.htm#Guidelines). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Farkas Levente wrote: >> hi, >> after i upgrade our shorewall from 3.2.9 to 3.4.1 and update all config >> files etc and run on the central server (we use lite on the firewalls) >> i''ve got the following error: >> ------------------------------------- >> # shorewall reload portal >> ... >> Creating action chain Limit >> iptables v1.2.11: log-level `none'' unknown >> Try `iptables -h'' or ''iptables --help'' for more information. >> Processing /etc/shorewall/servers/portal/stop ... >> IP Forwarding Enabled >> Processing /etc/shorewall/servers/portal/stopped ... >> /sbin/shorewall-lite: line 301: 26778 Terminated >> $SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart >> ------------------------------------- >> what can be the problem and how can i find the reasons? (stopped is >> empty, so the problems is somewhere else). > > The technique for analyzing these kinds of errors is still described in the > Troubleshooting Guide (http://www.shorewall.net/troubleshoot.htm). And if > you need to report the problem, please follow the Support Guide > (http://www.shorewall.net/support.htm#Guidelines).thanks. so after a debug session i''ve got the error bellow while in my rules there is a line: Limit:none:SSH2,3,60 net dmz:$NS2_IP tcp ssh it seems the new Limit code is not the same as the old one?! or at least the compiler differs. anyway the error is true since shorewall call iptables as "--log-level none" it seems to me that the previous version do not append the log-level to iptables if it was none (afais in the previous version''s debug list). so imho it''s a bug in the new code. yours. --------------------------------------------------- + progress_message2 ''Creating action chain Limit'' + local timestamp+ ''['' 1 -gt 0 '']'' + ''['' -n '''' '']'' + echo ''Creating action chain Limit'' + run_iptables -A %Limit -m recent --name SSH2 --set + ''['' -n '''' '']'' + /sbin/iptables -A %Limit -m recent --name SSH2 --set + ''['' 0 -ne 0 '']'' + run_iptables -N %Limit% + ''['' -n '''' '']'' + /sbin/iptables -N %Limit% + ''['' 0 -ne 0 '']'' + do_log_rule_limit none %Limit% SSH2 DROP '''' '''' -A + local level=none + local chain=%Limit% + local displayChain=SSH2 + local disposition=DROP + local rulenum+ local limit+ local tag+ local command+ local prefix ++ chain_base SSH2 ++ local c=SSH2 ++ true ++ case $c in ++ echo SSH2 ++ return + local base=SSH2 + local pf + limit+ tag+ command=-A + shift 7 + ''['' -n '''' -a -n '''' '']'' + ''['' -n '''' '']'' ++ printf Shorewall:%s:%s: SSH2 DROP + prefix=Shorewall:SSH2:DROP: + ''['' 20 -gt 29 '']'' + case $level in + /sbin/iptables -A %Limit% -j LOG --log-level none --log-prefix Shorewall:SSH2:DROP: iptables v1.2.11: log-level `none'' unknown Try `iptables -h'' or ''iptables --help'' for more information. + ''['' 2 -ne 0 '']'' + ''['' -z '''' '']'' + stop_firewall + case $COMMAND in + set +x Processing /etc/shorewall/servers/portal/stop ... IP Forwarding Enabled Processing /etc/shorewall/servers/portal/stopped ... /sbin/shorewall-lite: line 301: 1283 Terminated $SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart --------------------------------------------------- -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Farkas Levente wrote:> > thanks. so after a debug session i''ve got the error bellow while in my > rules there is a line: > Limit:none:SSH2,3,60 net dmz:$NS2_IP tcp ssh > it seems the new Limit code is not the same as the old one?! or at least > the compiler differs. anyway the error is true since shorewall call > iptables as "--log-level none" it seems to me that the previous version > do not append the log-level to iptables if it was none (afais in the > previous version''s debug list). > so imho it''s a bug in the new code.Yep -- please try the attached patch to /usr/share/shorewall/compiler. It fixes all builtin actions WRT ''none'' and ''none!'' (not just Limit). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Farkas Levente wrote: > >> thanks. so after a debug session i''ve got the error bellow while in my >> rules there is a line: >> Limit:none:SSH2,3,60 net dmz:$NS2_IP tcp ssh >> it seems the new Limit code is not the same as the old one?! or at least >> the compiler differs. anyway the error is true since shorewall call >> iptables as "--log-level none" it seems to me that the previous version >> do not append the log-level to iptables if it was none (afais in the >> previous version''s debug list). >> so imho it''s a bug in the new code. > > Yep -- please try the attached patch to /usr/share/shorewall/compiler. It > fixes all builtin actions WRT ''none'' and ''none!'' (not just Limit).thanks. it seems to working. and i hope no more hidden problem since it''s our production firewall:-( -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV