Shorewall users - Apr 2009 - Re: Shorewall-users Digest, Vol 35, Issue 27

Hi Tom,

I''ve actually done as you said. The only thing I forgot to mention is
that I
was using Shorewall 4.2.8, I was previously on Shorewall 3 and the problem
still occurred so I installed the latest stable release and it still
didn''t
resolve it.
My trace file was included in the previous email so I''m not sure if I
should
resend, please advise if necessary.

Also, I actually had the shell and perl rpm installed however by default it
compiles using shell. Should I try using perl compiler? How do I get it to
use perl instead of shell?

Thank you and have a nice day!
-Eugene


From: Tom Eastep <teastep@shorewall.net>
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Date: Tue, 21 Apr 2009 20:42:16 -0700
Subject: Re: [Shorewall-users] Shorewall compile problem
Eugene Koh wrote:

<stuff deleted>

I suggest that you:

a) Go to www.shorewall.net
b) Click on ''Documentation'' in the left-hand frame
c) Select the ''Index'' for the release your are running on the
malfunctioning server (you will note that there are multiple
''Index''
links; I know that it may come as a shock, but different versions of
Shorewall are actually different! And you didn''t mention which version
you are running -- all we know is that you are running Shorewall-shell
rather than Shorewall-perl).
d) Near the top of the resulting page, there will be a
''Troubleshooting''
link. Click on that and see if the ''Shorewall start and Shorewall
restart errors'' section provides you any clues to your problem.
e) If that doesn''t give you any relief, then click on the
''Support'' link
in the left-hand frame and follow the instructions you find there.

Thanks,
-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


2009/4/22 <shorewall-users-request@lists.sourceforge.net>
> Send Shorewall-users mailing list submissions to
>        shorewall-users@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.sourceforge.net/lists/listinfo/shorewall-users
> or, via email, send a message with subject or body ''help''
to
>        shorewall-users-request@lists.sourceforge.net
>
> You can reach the person managing the list at
>        shorewall-users-owner@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Shorewall-users digest..."
>
> Today''s Topics:
>
>   1. Re: Shorewall compile problem (Tom Eastep)
>   2. Re: {Disarmed}  Shorewall compile problem (G?tz Reinicke)
>   3. Re: Single rules in dual-homing (Andrzej Odyniec)
>   4. tcrules in shorewall6 - not loading (Sanne Wouda)
>
>
> ---------- Forwarded message ----------
> From: Tom Eastep <teastep@shorewall.net>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Date: Tue, 21 Apr 2009 20:42:16 -0700
> Subject: Re: [Shorewall-users] Shorewall compile problem
> Eugene Koh wrote:
>
> <stuff deleted>
>
> I suggest that you:
>
> a) Go to www.shorewall.net
> b) Click on ''Documentation'' in the left-hand frame
> c) Select the ''Index'' for the release your are running on
the
> malfunctioning server (you will note that there are multiple
''Index''
> links; I know that it may come as a shock, but different versions of
> Shorewall are actually different! And you didn''t mention which
version
> you are running -- all we know is that you are running Shorewall-shell
> rather than Shorewall-perl).
> d) Near the top of the resulting page, there will be a
''Troubleshooting''
> link. Click on that and see if the ''Shorewall start and Shorewall
> restart errors'' section provides you any clues to your problem.
> e) If that doesn''t give you any relief, then click on the
''Support'' link
> in the left-hand frame and follow the instructions you find there.
>
> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ---------- Forwarded message ----------
> From: "Götz Reinicke" <goetz.reinicke@filmakademie.de>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Date: Wed, 22 Apr 2009 07:46:53 +0200
> Subject: Re: [Shorewall-users] {Disarmed} Shorewall compile problem
> Eugene Koh schrieb:
> > Hi all,
> >
> > I''ve been using Shorewall to generate iptable scripts all
this while,
> > today I came across a newly purchased server that got me stumped.
> > Basically Shorewall refused to compile and start and I get the
following
> > error.
> >
> > Enabling Loopback and DNS Lookups
> > iptables: Unknown error 4294967295
>
> Hi,
>
> searching this error with google shows up a lot off results concerning
> kernel modul problems, e.g. module and static compilation ...
>
>
>
http://www.google.de/search?q=iptables%3A+Unknown+error+4294967295&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a
>
> So, Tom''s suggestions regarding your system setup (versions,
custom
> kernel, ... ?) seems to be a good starting point.
>
>
> Regards
>
>        Götz
>
> --
> Götz Reinicke
> IT-Koordinator
>
> Tel. +49 7141 969 420
> Fax  +49 7141 969 55 420
> E-Mail goetz.reinicke@filmakademie.de
>
> Filmakademie Baden-Württemberg GmbH
> Akademiehof 10
> 71638 Ludwigsburg
> www.filmakademie.de
>
> Eintragung Amtsgericht Stuttgart HRB 205016
> Vorsitzende des Aufsichtsrats:
> Prof. Dr. Claudia Hübner
> Staatsrätin für Demographischen Wandel und für Senioren im
> Staatsministerium
>
> Geschäftsführer:
> Prof. Thomas Schadt
>
>
>
>
> ---------- Forwarded message ----------
> From: Andrzej Odyniec <anody@macrologic.pl>
> To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> Date: Wed, 22 Apr 2009 11:46:02 +0200
> Subject: Re: [Shorewall-users] Single rules in dual-homing
> Tom Eastep wrote:
>
>> I would have written the above as:
>>
>> crp     eth2:172.23.0.0/18,172.31.201.0/24      ipsec
>> crp     eth3:172.23.0.0/18,172.31.201.0/24      ipsec
>>
>> Which can be replaced with:
>>
>> BEGIN PERL
>>
>> for my $interface ( split /,/, $ENV{NET} ) {
>>    shorewall "crp $interface:172.23.0.0/18,172.31.201.0/24
ipsec"
>> }
>>
>> END PERL
>>
>> Note that variables set in /etc/shorewall/params are passed to the
>> Shorewall-perl compiler via the environment.
>>
>
> Thanks, Tom.
>
> This is strong and universal solution. So actually in hosts file is
> absolutely no need for new syntax. Ockham''s Razor is always
better. :)
>
> Best regards
>
> Andrzej Odyniec
> Warsaw, Poland
>
>
>
>
> ---------- Forwarded message ----------
> From: Sanne Wouda <sanne@gruttepier.net>
> To: shorewall-users@lists.sourceforge.net
> Date: Wed, 22 Apr 2009 16:13:08 +0200
> Subject: [Shorewall-users] tcrules in shorewall6 - not loading
> Hello,
>
> I''m trying to shape my outgoing IPv6 traffic (a 6in4 tunnel from
> sixxs.net), but Shorewall6 (version 4.2.7 with Debian lenny) is not
> loading traffic shaping rules from /etc/shorewall6/tcrules. IPv4
> traffic shaping is working as expected.
>
> Included are the outputs of `shorewall dump` and `shorewall6 dump`.
>
> I''d be happy to supply any information to help diagnose this
problem.
>
> Thanks for your attention.
>
> Sanne
>
>
>
------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Eugene Koh wrote:
> Hi Tom,
> 
> I''ve actually done as you said. The only thing I forgot to mention
is
> that I was using Shorewall 4.2.8, I was previously on Shorewall 3 and
> the problem still occurred so I installed the latest stable release and
> it still didn''t resolve it.
> My trace file was included in the previous email so I''m not sure
if I
> should resend, please advise if necessary.
> 
> Also, I actually had the shell and perl rpm installed however by default
> it compiles using shell. Should I try using perl compiler? How do I get
> it to use perl instead of shell?
All new Shorewall installations should use Shorewall-perl; Support for
Shorewall shell is going away in Shorewall 4.4.

Set SHOREWALL_COMPILER=Perl in shorewall.conf.
> 
> Thank you and have a nice day!
The ''trace'' file in the archive attached to your previous post
is binary
data of some sort.

teastep@ursa:~/Support/Eugene$ file trace
trace: data
teastep@ursa:~/Support/Eugene$

So it is not of any help, I''m afraid.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep wrote:
> 
> All new Shorewall installations should use Shorewall-perl; Support for
> Shorewall shell is going away in Shorewall 4.4.
> 
> Set SHOREWALL_COMPILER=Perl in shorewall.conf.
> 
I have also seen that in Fedora''s rpm shell compiler is by default. Is 
there an option in the source to set it to perl by default? Or we should 
just install only rpm with perl version?

I know that then there has to be added dependency to perl.

Thanks,
Ljubomir

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Ljubomir Ljubojevic wrote:
> Tom Eastep wrote:
>> All new Shorewall installations should use Shorewall-perl; Support for
>> Shorewall shell is going away in Shorewall 4.4.
>>
>> Set SHOREWALL_COMPILER=Perl in shorewall.conf.
>>
> 
> I have also seen that in Fedora''s rpm shell compiler is by
default. Is
> there an option in the source to set it to perl by default? Or we should 
> just install only rpm with perl version?
> 
> I know that then there has to be added dependency to perl.
If you want Shorewall-perl and only Shorewall-perl, then you must
install the common package and the Shorewall-perl package only. In most
distributions, the ''shorewall'' package installs the common
package and
Shorewall-shell; that is to insure that a distribution upgrade doesn''t
break the firewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p