Hi, I am moving my old Shorewall configuration to a new box with new version of Shorewall. Unfortunately I have a problem starting it if I keep the "ULOG" parameter in the following line of rules file.>>REDIRECT:ULOG wall 82 tcp 80>>If I remove the ":ULOG" from that line, Shorewall starts successfully. I am attachig the start trace "shorewall -vv start" output to this email. The given error is : iptables v1.3.5: Need TCP or UDP with port specification Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed What is the problem ? Thanks. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Mekabe Ramein wrote:> Hi, > > I am moving my old Shorewall configuration to a new box with new > version of Shorewall. > Unfortunately I have a problem starting it if I keep the "ULOG" > parameter in the following line of rules file. > > REDIRECT:ULOG wall 82 tcp 80 > > If I remove the ":ULOG" from that line, Shorewall starts successfully. > > I am attachig the start trace "shorewall -vv start" output to this email. > > The given error is : > iptables v1.3.5: Need TCP or UDP with port specification > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed > > > What is the problem ?The attached patch should correct the problem. patch /usr/share/shorewall/Shorewall/Chains.pm < logging.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Wed, Aug 5, 2009 at 10:26 PM, Tom Eastep<teastep@shorewall.net> wrote:> Mekabe Ramein wrote: >> Hi, >> >> I am moving my old Shorewall configuration to a new box with new >> version of Shorewall. >> Unfortunately I have a problem starting it if I keep the "ULOG" >> parameter in the following line of rules file. >> >> REDIRECT:ULOG wall 82 tcp 80 >> >> If I remove the ":ULOG" from that line, Shorewall starts successfully. >> >> I am attachig the start trace "shorewall -vv start" output to this email. >> >> The given error is : >> iptables v1.3.5: Need TCP or UDP with port specification >> Try `iptables -h'' or ''iptables --help'' for more information. >> ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed >> >> >> What is the problem ? > > The attached patch should correct the problem. > > patch /usr/share/shorewall/Shorewall/Chains.pm < logging.diff > > -TomThank you. It really solved the problem. I assume this patch will be included in the final release, right ? Btw, ACCEPT rule with ULOG parameter was being accepted while REDIRECT was not. Thanks. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Wed, Aug 5, 2009 at 11:40 PM, Mekabe Ramein<mrmrmrmr@gmail.com> wrote:> On Wed, Aug 5, 2009 at 10:26 PM, Tom Eastep<teastep@shorewall.net> wrote: >> Mekabe Ramein wrote: >>> Hi, >>> >>> I am moving my old Shorewall configuration to a new box with new >>> version of Shorewall. >>> Unfortunately I have a problem starting it if I keep the "ULOG" >>> parameter in the following line of rules file. >>> >>> REDIRECT:ULOG wall 82 tcp 80 >>> >>> If I remove the ":ULOG" from that line, Shorewall starts successfully. >>> >>> I am attachig the start trace "shorewall -vv start" output to this email. >>> >>> The given error is : >>> iptables v1.3.5: Need TCP or UDP with port specification >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed >>> >>> >>> What is the problem ? >> >> The attached patch should correct the problem. >> >> patch /usr/share/shorewall/Shorewall/Chains.pm < logging.diff >> >> -Tom > > > Thank you. It really solved the problem. I assume this patch will be > included in the final release, right ? > Btw, ACCEPT rule with ULOG parameter was being accepted while REDIRECT was not. > > Thanks. >I just noticed that I receive the following warning when starting Shorewall: WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' interface/host option is no longer supported What does that mean ? Should I take any actions ? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Mekabe Ramein wrote:> On Wed, Aug 5, 2009 at 11:40 PM, Mekabe Ramein<mrmrmrmr@gmail.com> wrote: >> On Wed, Aug 5, 2009 at 10:26 PM, Tom Eastep<teastep@shorewall.net> wrote: >>> Mekabe Ramein wrote: >>>> Hi, >>>> >>>> I am moving my old Shorewall configuration to a new box with new >>>> version of Shorewall. >>>> Unfortunately I have a problem starting it if I keep the "ULOG" >>>> parameter in the following line of rules file. >>>> >>>> REDIRECT:ULOG wall 82 tcp 80 >>>> >>>> If I remove the ":ULOG" from that line, Shorewall starts successfully. >>>> >>>> I am attachig the start trace "shorewall -vv start" output to this email. >>>> >>>> The given error is : >>>> iptables v1.3.5: Need TCP or UDP with port specification >>>> Try `iptables -h'' or ''iptables --help'' for more information. >>>> ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed >>>> >>>> >>>> What is the problem ? >>> The attached patch should correct the problem. >>> >>> patch /usr/share/shorewall/Shorewall/Chains.pm < logging.diff >>> >>> -Tom >> >> Thank you. It really solved the problem. I assume this patch will be >> included in the final release, right ? >> Btw, ACCEPT rule with ULOG parameter was being accepted while REDIRECT was not. >> >> Thanks. >> > > I just noticed that I receive the following warning when starting Shorewall: > WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' > interface/host option is no longer supported > > What does that mean ? Should I take any actions ?Please read the release notes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
which release notes ? for the RFC1918_LOG_LEVEL ? On Wed, Aug 5, 2009 at 11:49 PM, Tom Eastep<teastep@shorewall.net> wrote:> Mekabe Ramein wrote: >> On Wed, Aug 5, 2009 at 11:40 PM, Mekabe Ramein<mrmrmrmr@gmail.com> wrote: >>> On Wed, Aug 5, 2009 at 10:26 PM, Tom Eastep<teastep@shorewall.net> wrote: >>>> Mekabe Ramein wrote: >>>>> Hi, >>>>> >>>>> I am moving my old Shorewall configuration to a new box with new >>>>> version of Shorewall. >>>>> Unfortunately I have a problem starting it if I keep the "ULOG" >>>>> parameter in the following line of rules file. >>>>> >>>>> REDIRECT:ULOG wall 82 tcp 80 >>>>> >>>>> If I remove the ":ULOG" from that line, Shorewall starts successfully. >>>>> >>>>> I am attachig the start trace "shorewall -vv start" output to this email. >>>>> >>>>> The given error is : >>>>> iptables v1.3.5: Need TCP or UDP with port specification >>>>> Try `iptables -h'' or ''iptables --help'' for more information. >>>>> ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed >>>>> >>>>> >>>>> What is the problem ? >>>> The attached patch should correct the problem. >>>> >>>> patch /usr/share/shorewall/Shorewall/Chains.pm < logging.diff >>>> >>>> -Tom >>> >>> Thank you. It really solved the problem. I assume this patch will be >>> included in the final release, right ? >>> Btw, ACCEPT rule with ULOG parameter was being accepted while REDIRECT was not. >>> >>> Thanks. >>> >> >> I just noticed that I receive the following warning when starting Shorewall: >> WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' >> interface/host option is no longer supported >> >> What does that mean ? Should I take any actions ? > > Please read the release notes. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Mekabe Ramein wrote:> which release notes ? for the RFC1918_LOG_LEVEL ?I hope you are joking.... But in case you are not, you can find the release notes for RC2 at http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/releasenotes.txt. They were also installed on your computer when you installed the latest version of Shorewall (which I assume is RC2 -- you didn''t bother to say in your report). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Mekabe Ramein wrote:> > Thank you. It really solved the problem. I assume this patch will be > included in the final release, right ?We distribute Betas and Release Candidates in order to identify *and remove* defects before final.> Btw, ACCEPT rule with ULOG parameter was being accepted while > REDIRECT was not.I know. If you read http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/known_problems.txt, you will find this characterization of the defect: 1) A nat rule (DNAT, REDIRECT, etc.) which changes the destination port number and that has logging specified can cause invalid iptables input to be generated. Example of rule: REDIRECT:ULOG wall 82 tcp 80 Example of error message: iptables v1.3.5: Need TCP or UDP with port specification Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port 82" Failed -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Thu, Aug 6, 2009 at 12:46 AM, Tom Eastep<teastep@shorewall.net> wrote:> Mekabe Ramein wrote: > >> >> Thank you. It really solved the problem. I assume this patch will be >> included in the final release, right ? > > We distribute Betas and Release Candidates in order to identify *and > remove* defects before final. > >> Btw, ACCEPT rule with ULOG parameter was being accepted while >> REDIRECT was not. > > I know. If you read > http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/known_problems.txt, > you will find this characterization of the defect: > > 1) A nat rule (DNAT, REDIRECT, etc.) which changes the destination > port number and that has logging specified can cause invalid > iptables input to be generated. > > Example of rule: > > REDIRECT:ULOG wall 82 tcp 80 > > Example of error message: > > iptables v1.3.5: Need TCP or UDP with port specification > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port > 82" Failed > > -Tom > -- > Tom EastepThanks for the detailed explanation. What about the following warning message: WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' interface/host option is no longer supported Regards. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Mekabe Ramein wrote:> > Thanks for the detailed explanation. > What about the following warning message: > > WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' > interface/host option is no longer supported >You must have missed my response -- I''ve attached it for your reference. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> Mekabe Ramein wrote: >> Thanks for the detailed explanation. >> What about the following warning message: >> >> WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' >> interface/host option is no longer supported >> > > You must have missed my response -- I''ve attached it for your reference. >And in the extremely unlikely event that you still don''t understand, I''ve updated the release notes as follows: 7) Support for the ''norfc1918'' interface and host option has been removed. If ''norfc1918'' is specified for an entry in either the interfaces or the hosts file, a warning is issued and the option is ignored. Simply remove the option to avoid the warning. Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL is given in shorewall.conf, a warning will be issued and the option will be ignored. You may simply delete the RFC1918-related options from your shorewall.conf file if you are seeing warnings regarding them. Users who currently use ''norfc1918'' are encouraged to consider using NULL_ROUTE_RFC1918=Yes instead. And I''ve added this to the Known Problems list whose URL I sent you earlier: 2) There appears to be some confusion about the following error message: WARNING: RFC1918_LOG_LEVEL=ULOG ignored. The ''norfc1918'' interface/host option is no longer supported To eliminate the message, simply delete the line from your shorewall.conf file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july