Shorewall users - Dec 2009 - Shorewall doesn't know wlan0 is up

I''m switching my router/AP from the wireless madwifi driver to the
in-kernel ath5k driver.  Everything seems to work, except I need
shorewall for NAT and it won''t start because it says the loc zone is
empty.  The only interface in the loc zone is wlan0, which is started
by hostapd and is up and making connections.  Does anyone know why
shorewall doesn''t know wlan0 is up?  Shorewall started when I was
using the madwifi driver and starting the Gentoo /etc/init.d/net.wlan0
script, but hostapd needs to start wlan0 when using ath5k in master
mode.

- Grant

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

On Mon, 21 Dec 2009 06:29:46 -0800
Grant <emailgrant@gmail.com> wrote:
> I''m switching my router/AP from the wireless madwifi driver to the
> in-kernel ath5k driver.  Everything seems to work, except I need
> shorewall for NAT and it won''t start because it says the loc zone
is
> empty.
That is a Shorewall configuration blunder
> The only interface in the loc zone is wlan0, which is started
> by hostapd and is up and making connections.  Does anyone know why
> shorewall doesn''t know wlan0 is up?  Shorewall started when I was
> using the madwifi driver and starting the Gentoo /etc/init.d/net.wlan0
> script, but hostapd needs to start wlan0 when using ath5k in master
> mode.
If Shorewall is truly telling you that ''loc'' is empty, then

a) That doesn''t stop Shorewall from starting.
b) It means that you have NO hosts defined to be in the loc zone.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

>> I''m switching my router/AP from the wireless madwifi driver to
the
>> in-kernel ath5k driver.  Everything seems to work, except I need
>> shorewall for NAT and it won''t start because it says the loc
zone is
>> empty.
>
> That is a Shorewall configuration blunder
>
>> The only interface in the loc zone is wlan0, which is started
>> by hostapd and is up and making connections.  Does anyone know why
>> shorewall doesn''t know wlan0 is up?  Shorewall started when I
was
>> using the madwifi driver and starting the Gentoo /etc/init.d/net.wlan0
>> script, but hostapd needs to start wlan0 when using ath5k in master
>> mode.
>
> If Shorewall is truly telling you that ''loc'' is empty,
then
>
> a) That doesn''t stop Shorewall from starting.
> b) It means that you have NO hosts defined to be in the loc zone.
>
> -Tom
I get the following when trying to start shorewall:

WARNING: Zone loc is empty
ERROR: Unable to determine the routes through interface "wlan0"

My interfaces file has:

loc   wlan0   detect   tcpflags,detectnets,nosmurfs

Where do I need to look for my error?

- Grant

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Make sure that you have ''wlan0'' defined in your
''zones'' file.

Scott Ackerman
1212 Baker Street
Fort Collins, Colorado 80524
970-689-3999
www.fine-pottery.com
www.ackerman-family.org

"Every improvement in the standard of work men do is followed swiftly and
inevitably by an improvement in the men who do it" - William Morris

 
> -----Original Message-----
> From: Grant [mailto:emailgrant@gmail.com] 
> Sent: Tuesday, December 22, 2009 6:59 AM
> To: Shorewall Users
> Subject: Re: [Shorewall-users] Shorewall doesn''t know wlan0 is up
> 
> >> I''m switching my router/AP from the wireless madwifi
driver to the
> >> in-kernel ath5k driver.  Everything seems to work, except I need 
> >> shorewall for NAT and it won''t start because it says the 
> loc zone is 
> >> empty.
> >
> > That is a Shorewall configuration blunder
> >
> >> The only interface in the loc zone is wlan0, which is started by 
> >> hostapd and is up and making connections.  Does anyone know why 
> >> shorewall doesn''t know wlan0 is up?  Shorewall started
when I was
> >> using the madwifi driver and starting the Gentoo 
> >> /etc/init.d/net.wlan0 script, but hostapd needs to start 
> wlan0 when 
> >> using ath5k in master mode.
> >
> > If Shorewall is truly telling you that ''loc'' is
empty, then
> >
> > a) That doesn''t stop Shorewall from starting.
> > b) It means that you have NO hosts defined to be in the loc zone.
> >
> > -Tom
> 
> I get the following when trying to start shorewall:
> 
> WARNING: Zone loc is empty
> ERROR: Unable to determine the routes through interface "wlan0"
> 
> My interfaces file has:
> 
> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
> 
> Where do I need to look for my error?
> 
> - Grant
> 
> --------------------------------------------------------------
> ----------------
> This SF.Net email is sponsored by the Verizon Developer 
> Community Take advantage of Verizon''s best-in-class app 
> development support A streamlined, 14 day to market process 
> makes app distribution fast and easy Join now and get one 
> step closer to millions of Verizon customers 
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Grant wrote:
> 
> I get the following when trying to start shorewall:
> 
> WARNING: Zone loc is empty
> ERROR: Unable to determine the routes through interface "wlan0"
> 
> My interfaces file has:
> 
> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
> 
> Where do I need to look for my error?
If you have that line in your interfaces file, then I suspect that:

a) You are using shorewall-shell.
b) That line is the last line in the file.
c) The line is not terminated by a newline character. This causes the
shell''s ''read'' built-in command to simply ignore the
line.

That''s why all of the sample configuration files in older versions of
Shorewall end in a line such as:

#MUST BE LAST -- DO NOT REMOVE

The ERROR (Unable to determine...) is caused by having a line such as
this in /etc/shorewall/masq:

ethX     wlan0

This requires that wlan0 be up and configured when Shorewall starts. In
particular, the command ''ip route ls dev wlan0'' must succeed;
if it does
not, then you get the error you mention.

In Shorewall 4.4, that entry in the masq file generates a WARNING. It is
much preferred to replace wlan0 with the network served by wlan0 (e.g.,
192.168.1.0/24) so that Shorewall will start even if routing is not
configured on the interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

> Make sure that you have ''wlan0'' defined in your
''zones'' file.
Are you sure?  I have the following zones file and it works fine when
using madwifi (ath0) instead of ath5k (wlan0).

fw      firewall
net     ipv4
loc     ipv4

- Grant

>> >> I''m switching my router/AP from the wireless madwifi
driver to the
>> >> in-kernel ath5k driver.  Everything seems to work, except I
need
>> >> shorewall for NAT and it won''t start because it says
the
>> loc zone is
>> >> empty.
>> >
>> > That is a Shorewall configuration blunder
>> >
>> >> The only interface in the loc zone is wlan0, which is started
by
>> >> hostapd and is up and making connections.  Does anyone know
why
>> >> shorewall doesn''t know wlan0 is up?  Shorewall
started when I was
>> >> using the madwifi driver and starting the Gentoo
>> >> /etc/init.d/net.wlan0 script, but hostapd needs to start
>> wlan0 when
>> >> using ath5k in master mode.
>> >
>> > If Shorewall is truly telling you that ''loc'' is
empty, then
>> >
>> > a) That doesn''t stop Shorewall from starting.
>> > b) It means that you have NO hosts defined to be in the loc zone.
>> >
>> > -Tom
>>
>> I get the following when trying to start shorewall:
>>
>> WARNING: Zone loc is empty
>> ERROR: Unable to determine the routes through interface
"wlan0"
>>
>> My interfaces file has:
>>
>> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
>>
>> Where do I need to look for my error?
>>
>> - Grant
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

>> I get the following when trying to start shorewall:
>>
>> WARNING: Zone loc is empty
>> ERROR: Unable to determine the routes through interface
"wlan0"
>>
>> My interfaces file has:
>>
>> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
>>
>> Where do I need to look for my error?
>
> If you have that line in your interfaces file, then I suspect that:
>
> a) You are using shorewall-shell.
I''m using Gentoo''s /etc/init.d/shorewall.
> b) That line is the last line in the file.
> c) The line is not terminated by a newline character. This causes the
> shell''s ''read'' built-in command to simply ignore
the line.
I re-wrote newline characters with the same result, and I do have the
commented DO NOT REMOVE line as the last line.
> That''s why all of the sample configuration files in older versions
of
> Shorewall end in a line such as:
>
> #MUST BE LAST -- DO NOT REMOVE
>
> The ERROR (Unable to determine...) is caused by having a line such as
> this in /etc/shorewall/masq:
>
> ethX     wlan0
>
> This requires that wlan0 be up and configured when Shorewall starts. In
> particular, the command ''ip route ls dev wlan0'' must
succeed; if it does
> not, then you get the error you mention.
I think something is wrong with my wlan0.  I''m going to try and figure
that out.
> In Shorewall 4.4, that entry in the masq file generates a WARNING. It is
> much preferred to replace wlan0 with the network served by wlan0 (e.g.,
> 192.168.1.0/24) so that Shorewall will start even if routing is not
> configured on the interface.
If my router''s IP is 192.168.0.1, would I specify 192.168.0.0/24 as the
ADDRESS?

- Grant

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Grant wrote:
>>> I get the following when trying to start shorewall:
>>>
>>> WARNING: Zone loc is empty
>>> ERROR: Unable to determine the routes through interface
"wlan0"
>>>
>>> My interfaces file has:
>>>
>>> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
>>>
>>> Where do I need to look for my error?
>> If you have that line in your interfaces file, then I suspect that:
>>
>> a) You are using shorewall-shell.
> 
> I''m using Gentoo''s /etc/init.d/shorewall.
Uh -- Please type ''shorewall version -a''. That command will
tell you
what version of Shorewall you are using and which Shorewall product (if
you are running Shorewall 4.0 or 4.2).
> 
>> b) That line is the last line in the file.
>> c) The line is not terminated by a newline character. This causes the
>> shell''s ''read'' built-in command to simply
ignore the line.
> 
> I re-wrote newline characters with the same result, and I do have the
> commented DO NOT REMOVE line as the last line.
> 
Does the prior line end in a comment with ''\'' as the last
character on
the line? Might be helpful if you would attached your
/etc/shorewall/interfaces file.
>> That''s why all of the sample configuration files in older
versions of
>> Shorewall end in a line such as:
>>
>> #MUST BE LAST -- DO NOT REMOVE
>>
>> The ERROR (Unable to determine...) is caused by having a line such as
>> this in /etc/shorewall/masq:
>>
>> ethX     wlan0
>>
>> This requires that wlan0 be up and configured when Shorewall starts. In
>> particular, the command ''ip route ls dev wlan0'' must
succeed; if it does
>> not, then you get the error you mention.
> 
> I think something is wrong with my wlan0.  I''m going to try and
figure that out.
I agree.
> 
>> In Shorewall 4.4, that entry in the masq file generates a WARNING. It
is
>> much preferred to replace wlan0 with the network served by wlan0 (e.g.,
>> 192.168.1.0/24) so that Shorewall will start even if routing is not
>> configured on the interface.
> 
> If my router''s IP is 192.168.0.1, would I specify 192.168.0.0/24
as the ADDRESS?
Most likely.

I suggest that you ''shorewall clear'' then get communications
established
on your wireless network. That is a necessary first step before you try
to run Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

>>>> I get the following when trying to start shorewall:
>>>>
>>>> WARNING: Zone loc is empty
>>>> ERROR: Unable to determine the routes through interface
"wlan0"
>>>>
>>>> My interfaces file has:
>>>>
>>>> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
>>>>
>>>> Where do I need to look for my error?
I''m having another crack at this.
>>> If you have that line in your interfaces file, then I suspect that:
>>>
>>> a) You are using shorewall-shell.
>>
>> I''m using Gentoo''s /etc/init.d/shorewall.
>
> Uh -- Please type ''shorewall version -a''. That command
will tell you
> what version of Shorewall you are using and which Shorewall product (if
> you are running Shorewall 4.0 or 4.2).
# shorewall version -a
3.4.8
>>> b) That line is the last line in the file.
>>> c) The line is not terminated by a newline character. This causes
the
>>> shell''s ''read'' built-in command to
simply ignore the line.
>>
>> I re-wrote newline characters with the same result, and I do have the
>> commented DO NOT REMOVE line as the last line.
>>
>
> Does the prior line end in a comment with ''\'' as the last
character on
> the line? Might be helpful if you would attached your
> /etc/shorewall/interfaces file.
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect
tcpflags,routefilter,nosmurfs,logmartians
loc     wlan0           detect          tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>>> That''s why all of the sample configuration files in older
versions of
>>> Shorewall end in a line such as:
>>>
>>> #MUST BE LAST -- DO NOT REMOVE
>>>
>>> The ERROR (Unable to determine...) is caused by having a line such
as
>>> this in /etc/shorewall/masq:
>>>
>>> ethX     wlan0
>>>
>>> This requires that wlan0 be up and configured when Shorewall
starts. In
>>> particular, the command ''ip route ls dev wlan0''
must succeed; if it does
>>> not, then you get the error you mention.
# ip route ls dev wlan0
# /etc/init.d/shorewall restart
 * Restarting firewall ...
   WARNING: Zone loc is empty
   Shorewall is not running
   ERROR: Unable to determine the routes through interface "wlan0"
/sbin/shorewall: line 665:  4862 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging re  [ !! ]

It looks like the command executes without error, but I can''t seem to
start shorewall.  Could there still be a problem with wlan0, or does
''ip route ls dev wlan0'' executing confirm all is well?

- Grant
> -Tom
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

Grant wrote:
>>>>> I get the following when trying to start shorewall:
>>>>>
>>>>> WARNING: Zone loc is empty
>>>>> ERROR: Unable to determine the routes through interface
"wlan0"
>>>>>
>>>>> My interfaces file has:
>>>>>
>>>>> loc   wlan0   detect   tcpflags,detectnets,nosmurfs
>>>>>
>>>>> Where do I need to look for my error?
> 
> I''m having another crack at this.
> 
>>>> If you have that line in your interfaces file, then I suspect
that:
>>>>
>>>> a) You are using shorewall-shell.
>>> I''m using Gentoo''s /etc/init.d/shorewall.
>> Uh -- Please type ''shorewall version -a''. That
command will tell you
>> what version of Shorewall you are using and which Shorewall product (if
>> you are running Shorewall 4.0 or 4.2).
> 
> # shorewall version -a
> 3.4.8
> 
I really recommend that you upgrade. 3.4.8 was the last 3.x release and,
as such, is based on Shorewall-shell. It is slow and buggy.
>>>> b) That line is the last line in the file.
>>>> c) The line is not terminated by a newline character. This
causes the
>>>> shell''s ''read'' built-in command to
simply ignore the line.
>>> I re-wrote newline characters with the same result, and I do have
the
>>> commented DO NOT REMOVE line as the last line.
>>>
>> Does the prior line end in a comment with ''\'' as the
last character on
>> the line? Might be helpful if you would attached your
>> /etc/shorewall/interfaces file.
> 
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     eth0            detect
> tcpflags,routefilter,nosmurfs,logmartians
> loc     wlan0           detect          tcpflags,detectnets,nosmurfs
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
>>>> That''s why all of the sample configuration files in
older versions of
>>>> Shorewall end in a line such as:
>>>>
>>>> #MUST BE LAST -- DO NOT REMOVE
>>>>
>>>> The ERROR (Unable to determine...) is caused by having a line
such as
>>>> this in /etc/shorewall/masq:
>>>>
>>>> ethX     wlan0
>>>>
>>>> This requires that wlan0 be up and configured when Shorewall
starts. In
>>>> particular, the command ''ip route ls dev
wlan0'' must succeed; if it does
>>>> not, then you get the error you mention.
> 
> # ip route ls dev wlan0
> # /etc/init.d/shorewall restart
>  * Restarting firewall ...
>    WARNING: Zone loc is empty
>    Shorewall is not running
>    ERROR: Unable to determine the routes through interface
"wlan0"
You appear to have no IP configuration on wlan0 yet you have defined it
as an interface to Shorewall and have specified ''detectnets''.
I
recommend that you:

a) Configure the interface; and
b) Don''t use ''detectnets'' in your configuration; that
option doesn''t
exist in later versions of the product.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

>> # ip route ls dev wlan0
>> # /etc/init.d/shorewall restart
>>  * Restarting firewall ...
>>    WARNING: Zone loc is empty
>>    Shorewall is not running
>>    ERROR: Unable to determine the routes through interface
"wlan0"
>
> You appear to have no IP configuration on wlan0 yet you have defined it
> as an interface to Shorewall and have specified
''detectnets''. I
> recommend that you:
>
> a) Configure the interface; and
Thank you, all I needed to do was ''ifconfig wlan0 192.168.1.1''
and
everything works.
> b) Don''t use ''detectnets'' in your configuration;
that option doesn''t
> exist in later versions of the product.
OK, I''ve replaced it with routerfilter and logmartians.

- Grant
> -Tom
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev