Hi again, I managed to use the perl compiler for a better error message, this is what I got. Compiling /etc/shorewall/routestopped... WARNING: The ''norfc1918'' option is deprecated Compiling /usr/share/shorewall/rfc1918... ERROR: The norfc1918 option requires Connection Tracking Match in your kernel and iptables : /usr/share/shorewall/rfc1918 (line 6) Does this mean it is a kernel issue and I should contact my hosting? Best regards, Eugene> > ---------- Forwarded message ---------- > From: Eugene Koh <thegr8one@gmail.com> > To: shorewall-users@lists.sourceforge.net > Date: Thu, 23 Apr 2009 01:24:46 +0800 > Subject: Re: [Shorewall-users] Shorewall-users Digest, Vol 35, Issue 27 > Hi Tom, > > I''ve actually done as you said. The only thing I forgot to mention is that > I was using Shorewall 4.2.8, I was previously on Shorewall 3 and the problem > still occurred so I installed the latest stable release and it still didn''t > resolve it. > My trace file was included in the previous email so I''m not sure if I > should resend, please advise if necessary. > > Also, I actually had the shell and perl rpm installed however by default it > compiles using shell. Should I try using perl compiler? How do I get it to > use perl instead of shell? > > Thank you and have a nice day! > -Eugene > > > From: Tom Eastep <teastep@shorewall.net> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Date: Tue, 21 Apr 2009 20:42:16 -0700 > Subject: Re: [Shorewall-users] Shorewall compile problem > Eugene Koh wrote: > > <stuff deleted> > > I suggest that you: > > a) Go to www.shorewall.net > b) Click on ''Documentation'' in the left-hand frame > c) Select the ''Index'' for the release your are running on the > malfunctioning server (you will note that there are multiple ''Index'' > links; I know that it may come as a shock, but different versions of > Shorewall are actually different! And you didn''t mention which version > you are running -- all we know is that you are running Shorewall-shell > rather than Shorewall-perl). > d) Near the top of the resulting page, there will be a ''Troubleshooting'' > link. Click on that and see if the ''Shorewall start and Shorewall > restart errors'' section provides you any clues to your problem. > e) If that doesn''t give you any relief, then click on the ''Support'' link > in the left-hand frame and follow the instructions you find there. > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Eugene Koh wrote:> Hi again, > > I managed to use the perl compiler for a better error message, this is > what I got. > > Compiling /etc/shorewall/routestopped... > WARNING: The ''norfc1918'' option is deprecated > Compiling /usr/share/shorewall/rfc1918... > ERROR: The norfc1918 option requires Connection Tracking Match in > your kernel and iptables : /usr/share/shorewall/rfc1918 (line 6) >As the warning says, ''norfc1918'' is deprecated anyway. Please try removing it from your /etc/shorewall/interfaces file and see if you get further. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Hi Tom,
Got it to go a little further, at first I thought it was solved :(
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
iptables-restore: line 143 failed
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 449: 18259 Terminated ${VARDIR}/.start
$debugging start
I guess this is where I start the debug file and send it in?
Best regards,
Eugene
On Thu, Apr 23, 2009 at 1:46 AM, Tom Eastep <teastep@shorewall.net> wrote:
> Eugene Koh wrote:
> > Hi again,
> >
> > I managed to use the perl compiler for a better error message, this is
> > what I got.
> >
> > Compiling /etc/shorewall/routestopped...
> > WARNING: The ''norfc1918'' option is deprecated
> > Compiling /usr/share/shorewall/rfc1918...
> > ERROR: The norfc1918 option requires Connection Tracking Match in
> > your kernel and iptables : /usr/share/shorewall/rfc1918 (line 6)
> >
>
> As the warning says, ''norfc1918'' is deprecated anyway.
Please try
> removing it from your /etc/shorewall/interfaces file and see if you get
> further.
>
> Thanks,
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
Eugene Koh wrote:> Hi Tom, > > Got it to go a little further, at first I thought it was solved :( > > Starting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Setting up ARP filtering... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Setting up Proxy ARP... > Setting up Traffic Control... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > iptables-restore: line 143 failed > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > Processing /etc/shorewall/stop ... > IPv4 Forwarding Enabled > Processing /etc/shorewall/stopped ... > /sbin/shorewall: line 449: 18259 Terminated > ${VARDIR}/.start $debugging start > > I guess this is where I start the debug file and send it in?What was the command in /var/lib/shorewall/.iptables-restore-input where the failure occurred (don''t have the line number -- your mailer seems to have truncated the text). If it was not COMMIT, then let us know what it was. If it was COMMIT then you need to try to start using the ''debug'' option (shorewall debug start) and see what command fails. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Hi Tom,
Here''s the line.
Running debug_restore_input...
iptables: Unknown error 4294967295
ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level 6
--log-prefix
"Shorewall:INPUT:DROP:"" Failed
Processing /etc/shorewall/stop ...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 449: 3629 Terminated ${VARDIR}/.start
$debugging start
Going further, I have also checked the /var/log/messages and I am getting
the messages:
modprobe: FATAL: Could not load /lib/modules/2.6.9-023st
ab048.6-enterprise/modules.dep: No such file or directory
Best regards,
Eugene
On Thu, Apr 23, 2009 at 7:41 AM, Tom Eastep <teastep@shorewall.net> wrote:
> Eugene Koh wrote:
> > Hi Tom,
> >
> > Got it to go a little further, at first I thought it was solved :(
> >
> > Starting Shorewall....
> > Initializing...
> > Processing /etc/shorewall/init ...
> > Setting up ARP filtering...
> > Setting up Route Filtering...
> > Setting up Martian Logging...
> > Setting up Accept Source Routing...
> > Setting up Proxy ARP...
> > Setting up Traffic Control...
> > Preparing iptables-restore input...
> > Running /sbin/iptables-restore...
> > iptables-restore: line 143 failed
> > ERROR: iptables-restore Failed. Input is in
> > /var/lib/shorewall/.iptables-restore-input
> > Processing /etc/shorewall/stop ...
> > IPv4 Forwarding Enabled
> > Processing /etc/shorewall/stopped ...
> > /sbin/shorewall: line 449: 18259 Terminated
> > ${VARDIR}/.start $debugging start
> >
> > I guess this is where I start the debug file and send it in?
>
> What was the command in /var/lib/shorewall/.iptables-restore-input where
> the failure occurred (don''t have the line number -- your mailer
seems to
> have truncated the text). If it was not COMMIT, then let us know what it
> was. If it was COMMIT then you need to try to start using the
''debug''
> option (shorewall debug start) and see what command fails.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
Eugene Koh wrote:> Hi Tom, > > Here''s the line. > > Running debug_restore_input... > iptables: Unknown error 4294967295 > ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level 6 > --log-prefix "Shorewall:INPUT:DROP:"" Failed > Processing /etc/shorewall/stop ... > IPv4 Forwarding Enabled > Processing /etc/shorewall/stopped ... > /sbin/shorewall: line 449: 3629 Terminated > ${VARDIR}/.start $debugging start > > Going further, I have also checked the /var/log/messages and I am > getting the messages: > > modprobe: FATAL: Could not load /lib/modules/2.6.9-023st > ab048.6-enterprise/modules.dep: No such file or directorySeems like your system is pretty ill. I suspect that the kernel does not have LOG target support. And the fact that there is no modules.dep is also a sign that you need to contact the server administrator and tell them to get their act together. Also -- what''s with the 4.6.9 kernel? That''s really quite ancient! And the large positive error number reported by iptables means that iptables is also old. I haven''t seen that is a year or more. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Okay will contact them about it. Meanwhile is there anyway I can get around this issue? Can I disable logging to see if this will allow the firewall to start? Seems also that iptables is 1.3.5 which is what all my other systems are on as well. On Thu, Apr 23, 2009 at 8:46 AM, Tom Eastep <teastep@shorewall.net> wrote:> Eugene Koh wrote: > > Hi Tom, > > > > Here''s the line. > > > > Running debug_restore_input... > > iptables: Unknown error 4294967295 > > ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level 6 > > --log-prefix "Shorewall:INPUT:DROP:"" Failed > > Processing /etc/shorewall/stop ... > > IPv4 Forwarding Enabled > > Processing /etc/shorewall/stopped ... > > /sbin/shorewall: line 449: 3629 Terminated > > ${VARDIR}/.start $debugging start > > > > Going further, I have also checked the /var/log/messages and I am > > getting the messages: > > > > modprobe: FATAL: Could not load /lib/modules/2.6.9-023st > > ab048.6-enterprise/modules.dep: No such file or directory > > Seems like your system is pretty ill. I suspect that the kernel does not > have LOG target support. And the fact that there is no modules.dep is > also a sign that you need to contact the server administrator and tell > them to get their act together. > > Also -- what''s with the 4.6.9 kernel? That''s really quite ancient! And > the large positive error number reported by iptables means that iptables > is also old. I haven''t seen that is a year or more. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Stay on top of everything new and different, both inside and > around Java (TM) technology - register by April 22, and save > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. > 300 plus technical and hands-on sessions. Register today. > Use priority code J9JMT32. http://p.sf.net/sfu/p > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Eugene Koh wrote:> Okay will contact them about it. Meanwhile is there anyway I can get > around this issue? Can I disable logging to see if this will allow the > firewall to start?Wouldn''t hurt. You might be able to correct the module problem by (as root) ''depmod -a''.> Seems also that iptables is 1.3.5 which is what all my other systems are > on as well.It''s still buggy. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p