Shorewall users - May 2007 - (Fwd) shorewall hanging on startup

A little additional info,

root@ns1 /tmp # /sbin/shorewall version
3.4.3
root@ns1 /tmp # ip addr show
1: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast 
qlen 1000
    link/ether 00:a0:c9:b6:56:96 brd ff:ff:ff:ff:ff:ff
    inet 208.187.196.76/28 brd 208.187.196.79 scope global eth0
2: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
3: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void
4: tunl0: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
root@ns1 /tmp # ip route show
208.187.196.64/28 dev eth0  proto kernel  scope link  src 
208.187.196.76
127.0.0.0/8 dev lo  scope link
default via 208.187.196.65 dev eth0
root@ns1 /tmp #


The output of shorewall dump is attached

--Richard

------- Forwarded message follows -------
I am at a loss, I have been building a new machine for a name server.
It is a Linux 2.6.21.1 kernel (lunar-linux) machine. Shorewall is
version 3.4.3. 

I have been working on getting shorewall up and working for two days
(and nights) now wit no success.

On startup, shorewall just hangs (and hangs the network connection).
There are no messges displayed or logged.

I have used shorewall for several years and never had anything like
this before.

I am attaching my shorewall configuration files and the kernel 
.config. I strongly suspect that I am missing something in the kernel
configuration since there are major changes in the configuration
options.

Any guidance will be greatly appreciated.

--Richard


Attachments:
  C:\Documents and Settings\rpyne\Desktop\downloads\shorewall\zones
  C:\Documents and Settings\rpyne\Desktop\downloads\shorewall\policy
  C:\Documents and Settings\rpyne\Desktop\downloads\shorewall\rules
  C:\Documents and
  Settings\rpyne\Desktop\downloads\shorewall\interfaces C:\Documents
  and Settings\rpyne\Desktop\downloads\shorewall\shorewall.conf
  C:\Documents and
  Settings\rpyne\Desktop\downloads\shorewall\kernel.config
------- End of forwarded message -------


The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any other MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  dump.txt
     Date:  15 May 2007, 12:08
     Size:  7790 bytes.
     Type:  Text


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

rpyne@shopsite.com wrote:
> A little additional info,
> 
> root@ns1 /tmp # /sbin/shorewall version
> 3.4.3
> root@ns1 /tmp # ip addr show
> 1: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast 
> qlen 1000
>     link/ether 00:a0:c9:b6:56:96 brd ff:ff:ff:ff:ff:ff
>     inet 208.187.196.76/28 brd 208.187.196.79 scope global eth0
> 2: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 3: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
>     link/void
> 4: tunl0: <NOARP> mtu 1480 qdisc noop
>     link/ipip 0.0.0.0 brd 0.0.0.0
> root@ns1 /tmp # ip route show
> 208.187.196.64/28 dev eth0  proto kernel  scope link  src 
> 208.187.196.76
> 127.0.0.0/8 dev lo  scope link
> default via 208.187.196.65 dev eth0
> root@ns1 /tmp #
> 
> 
> The output of shorewall dump is attached
> 
> --Richard
> 
> ------- Forwarded message follows -------
> I am at a loss, I have been building a new machine for a name server.
> It is a Linux 2.6.21.1 kernel (lunar-linux) machine. Shorewall is
> version 3.4.3. 
> 
> I have been working on getting shorewall up and working for two days
> (and nights) now wit no success.
> 
> On startup, shorewall just hangs (and hangs the network connection).
> There are no messges displayed or logged.
> 
> I have used shorewall for several years and never had anything like
> this before.
> 
> I am attaching my shorewall configuration files and the kernel 
> .config. I strongly suspect that I am missing something in the kernel
> configuration since there are major changes in the configuration
> options.
> 
> Any guidance will be greatly appreciated.
Are you using LDAP authentication? If so, you need to list your LDAP server
as a ''critical'' host in /etc/shorewall/routestopped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On 15 May 2007 at 12:22, Tom Eastep wrote:
> rpyne@shopsite.com wrote:
> 
> > 
> > I am not using LDAP. This has me completely puzzled. I guess I must
> > be a talented fool. Over the past several years I have installed and
> > run Shorewall on a couple dozen machines and never had any problem
> > like this.
> 
> Have you tried tracing ''shorewall start'' to see where it
is hanging?
> 
Okay, I finally got a trace.


.
.
.
+ echo ''Setting up SMURF control...''
Setting up SMURF control...
+ do_log_rule_limit info smurfs smurfs DROP ''''
'''' -A -s logmartians
+ local level=info
+ local chain=smurfs
+ local displayChain=smurfs
+ local disposition=DROP
+ local rulenum+ local limit+ local tag+ local command+ local prefix
++ chain_base smurfs
++ local c=smurfs
++ true
++ case $c in
++ echo smurfs
++ return
+ local base=smurfs
+ local pf
+ limit+ tag+ command=-A
+ shift 7
+ ''['' -n '''' -a -n ''''
'']''
+ ''['' -n '''' '']''
++ printf Shorewall:%s:%s: smurfs DROP
+ prefix=Shorewall:smurfs:DROP:
+ ''['' 22 -gt 29 '']''
+ case $level in
+ /usr/sbin/iptables -A smurfs -s logmartians -j LOG --log-level info 
--log-prefix Shorewall:smurfs:DROP:
iptables v1.3.7: host/network `logmartians'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' 2 -ne 0 '']''
+ ''['' -z '''' '']''
+ stop_firewall
+ case $COMMAND in
+ set +x
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 251:  6313 Terminated              
${VARDIR}/.start $debugging start


After some investigation and experementing, I discovered that the 
problem was a missing BROADCAST parameter in interfaces.

Thanks for the hints.

--Richard



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

rpyne@shopsite.com wrote:
> On 15 May 2007 at 12:22, Tom Eastep wrote:
> 
>> rpyne@shopsite.com wrote:
>>
>>> I am not using LDAP. This has me completely puzzled. I guess I must
>>> be a talented fool. Over the past several years I have installed
and
>>> run Shorewall on a couple dozen machines and never had any problem
>>> like this.
>> Have you tried tracing ''shorewall start'' to see where
it is hanging?
>>
> 
> Okay, I finally got a trace.
> 
> 
> .
> .
> .
> + echo ''Setting up SMURF control...''
> Setting up SMURF control...
> + do_log_rule_limit info smurfs smurfs DROP ''''
'''' -A -s logmartians
> + local level=info
> + local chain=smurfs
> + local displayChain=smurfs
> + local disposition=DROP
> + local rulenum> + local limit> + local tag> + local command> +
local prefix
> ++ chain_base smurfs
> ++ local c=smurfs
> ++ true
> ++ case $c in
> ++ echo smurfs
> ++ return
> + local base=smurfs
> + local pf
> + limit> + tag> + command=-A
> + shift 7
> + ''['' -n '''' -a -n ''''
'']''
> + ''['' -n '''' '']''
> ++ printf Shorewall:%s:%s: smurfs DROP
> + prefix=Shorewall:smurfs:DROP:
> + ''['' 22 -gt 29 '']''
> + case $level in
> + /usr/sbin/iptables -A smurfs -s logmartians -j LOG --log-level info 
> --log-prefix Shorewall:smurfs:DROP:
> iptables v1.3.7: host/network `logmartians'' not found
> Try `iptables -h'' or ''iptables --help'' for more
information.
> + ''['' 2 -ne 0 '']''
> + ''['' -z '''' '']''
> + stop_firewall
> + case $COMMAND in
> + set +x
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/shorewall: line 251:  6313 Terminated              
> ${VARDIR}/.start $debugging start
> 
> 
> After some investigation and experementing, I discovered that the 
> problem was a missing BROADCAST parameter in interfaces.
So in other words, the problem was nothing like you originally reported.
There was no hang -- ''shorewall start'' was simply failing and
the
firewall was being put in the ''stopped'' state.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/