Chris J. Zähller
2009-Jul-14 20:45 UTC
failed startup error "undefined server zone rule" / need port 1000 open.
Tom Eastep
2009-Jul-16 21:02 UTC
Re: failed startup error "undefined server zone rule" / need port 1000 open.
Chris J. Zähller wrote:> i''m brand new to setting up a mailserver, & i''m following the documentation > at http://flurdy.com/docs/postfix/ > > as part of the setup, i''m trying to get shorewall going -- we use Webmin to > administer the server, along with PHPMyAdmin; for the former we need port > 10000 open; we also need SSH, web and mail ports open. > > initially, i set up exactly as in the above-mentioned tutorial; then i > added: > > Webmin/ACCEPT net $FW > > thinking that would be enough to keep port 10000 open. au contraire: i got a > successful shorewall check & startup, but i lost webmin access once > shorewall started. SSH, however, continued to work. i stopped the service > and added this: > > Webmin/ACCEPT $FW net > > when i tried to restart shorewall, it failed to start. i took the 2nd webmin > rule out; same results. i took both webmin rules out; same results. the > attached trace, + my verbose output & logs all show the exact same failure > each time. the key informations appears to be this: > > [timestamp] Compiling /etc/shorewall/rules... > [timestamp] ..Expanding Macro /usr/share/shorewall/macro.SSH... > ERROR: Undefined Server Zone in rule "ACCEPT net FW > tcp 22 - - - -" > Terminated > > as you''ll see in the attachment, both "net" and "FW" are defined in zones. > and since the rules are back to their original form, which worked once, i''m > not sure what might have changed. note that i have _not_ edited macro.SSH; > it contains the default info. > > our server uses ubuntu 8.10. before i began on the firewall today, i > updated/upgraded all packages, so we''re using the latest everything. > > any help greatly appreciated; this thing is really kicking my b*tt.First of all, you are using the antiquated Shorewall-shell package which is being discontinued in the next Shorewall major release. So I strongly urge you to migrate to Shorewall-perl at the first available opportunity. See http://www.shorewall.net/Shorewall-perl.html Second, it looks like you have a broken shell. Here is one call to validate_zone: + validate_zone FW + list_search FW net FW + local e=FW + [ 3 -gt 1 ] + shift + [ xFW = xnet ] + [ 2 -gt 1 ] + shift + [ xFW = xFW ] + return 0 Notice that it returns 0 (success). Here''s the last such call: + validate_zone FW + list_search FW net FW + local e=FW + [ 3 -gt 1 ] + shift + [ xFW = xnet ] + [ 2 -gt 1 ] + shift + [ xFW = xFW ] + [ 1 -gt 1 ] + return 1 This time it returns 1 (failure) -- yet the arguments are exactly the same and the steps up until the next to last are exactly the same. So I would suggest migrating to Shorewall Perl -- it should correct your problem and you will be a lot happier in the long run. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge