I''ve followed the directions in http://www.shorewall.net/PortKnocking.html. I like the reduction in traffic (network and log) from random hosts trying to brute-force their way into my system. The port knocking worked fine until the last shorewall update from Debian (4.4.21.1-1) Now, when I try to start/restart shorewall, I see the following error: Initializing... Setting up Route Filtering... Setting up Martian Logging... Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore... iptables-restore v1.4.12: invalid port/service `!'' specified Error occurred at line: 166 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Restoring Shorewall... Initializing... Setting up Route Filtering... Setting up Martian Logging... Setting up Traffic Control... IPv4 Forwarding Enabled Shorewall restored from /var/lib/shorewall/restore /usr/share/shorewall/lib.common: line 69: 536 Terminated $SHOREWALL_SHELL $script $options $@ Disabling the port knocking from /etc/shorewall/rules allows shorewall to start up properly. The offending line (plus context) is: -A OUTPUT -o eth1 -j eth1_out -A OUTPUT -o eth0 -m policy --dir out --pol none -j fw2gige -A OUTPUT -o eth2 -m policy --dir out --pol none -j fw2dmz -A OUTPUT -o sixxs -m policy --dir out --pol none -j fw2sixxs -A OUTPUT -o ppp+ -m policy --dir out --pol none -j fw2l2tp -A OUTPUT -o tun+ -m policy --dir out --pol none -j fw2road -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j Drop -A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:DROP:" -A OUTPUT -j DROP -A %ZNCKnock -p tcp --dport 6667 -m recent --rcheck --name ZNC -j LOG --log-level 6 --log-prefix "Shorewall:ZNCKnock:ACCEPT:" -A %ZNCKnock -p tcp --dport ! 6667 -j LOG --log-level 6 --log-prefix "Shorewall:ZNCKnock:DROP:" -A %ZNCKnock -p tcp --dport 6667 -m recent --rcheck --seconds 60 --name ZNC -j ACCEPT (the offending line is -A %ZNCKnock -p tcp --dport ! 6667 -j LOG --log-level 6 --log-prefix "Shorewall:ZNCKnock:DROP:" ) Is there something obvious I''m missing, or is there a bug in shorewall 4.4.21.1? As I said - before I upgraded, the port knocking actions worked fine. -- Troy Telford ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Tue, 2011-08-09 at 13:50 -0600, Troy Telford wrote:> I''ve followed the directions in > http://www.shorewall.net/PortKnocking.html. I like the reduction in > traffic (network and log) from random hosts trying to brute-force their > way into my system. > > The port knocking worked fine until the last shorewall update from > Debian (4.4.21.1-1) > > Now, when I try to start/restart shorewall, I see the following error: > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Traffic Control... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > iptables-restore v1.4.12: invalid port/service `!'' specified > Error occurred at line: 166 > Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > Restoring Shorewall... > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Traffic Control... > IPv4 Forwarding Enabled > Shorewall restored from /var/lib/shorewall/restore > /usr/share/shorewall/lib.common: line 69: 536 Terminated > $SHOREWALL_SHELL $script $options $@ > > Disabling the port knocking from /etc/shorewall/rules allows shorewall > to start up properly. > > The offending line (plus context) is: > > -A OUTPUT -o eth1 -j eth1_out > -A OUTPUT -o eth0 -m policy --dir out --pol none -j fw2gige > -A OUTPUT -o eth2 -m policy --dir out --pol none -j fw2dmz > -A OUTPUT -o sixxs -m policy --dir out --pol none -j fw2sixxs > -A OUTPUT -o ppp+ -m policy --dir out --pol none -j fw2l2tp > -A OUTPUT -o tun+ -m policy --dir out --pol none -j fw2road > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -j Drop > -A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:DROP:" > -A OUTPUT -j DROP > -A %ZNCKnock -p tcp --dport 6667 -m recent --rcheck --name ZNC -j LOG > --log-level 6 --log-prefix "Shorewall:ZNCKnock:ACCEPT:" > -A %ZNCKnock -p tcp --dport ! 6667 -j LOG --log-level 6 --log-prefix > "Shorewall:ZNCKnock:DROP:" > -A %ZNCKnock -p tcp --dport 6667 -m recent --rcheck --seconds 60 > --name ZNC -j ACCEPT > > (the offending line is > -A %ZNCKnock -p tcp --dport ! 6667 -j LOG --log-level 6 --log-prefix > "Shorewall:ZNCKnock:DROP:" ) > > Is there something obvious I''m missing, or is there a bug in shorewall > 4.4.21.1? As I said - before I upgraded, the port knocking actions > worked fine.Did you also upgrade iptables at the same time as Shorewall? Anyway, in /etc/shorewall/ZNCKnock, try changing all instances of ''--dport !'' to ''! --dport''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On 2011-08-09 20:11:13 +0000, Tom Eastep said:> Did you also upgrade iptables at the same time as Shorewall?/var/log/apt/history.log states that shorewall & iptables were updated at the same time (or at least, in the same apt-get upgrade).> Anyway, in /etc/shorewall/ZNCKnock, try changing all instances of > ''--dport !'' to ''! --dport''.And that works. Thank you! -- Troy Telford ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Tue, 2011-08-09 at 13:11 -0700, Tom Eastep wrote:> Did you also upgrade iptables at the same time as Shorewall?I''m betting that you did. iptables 1.4.12 rejects syntax that earlier versions treated as a warning. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev
On Tue, 2011-08-09 at 14:34 -0600, Troy Telford wrote:> On 2011-08-09 20:11:13 +0000, Tom Eastep said: > > Did you also upgrade iptables at the same time as Shorewall? > > /var/log/apt/history.log states that shorewall & iptables were updated > at the same time (or at least, in the same apt-get upgrade). > > > Anyway, in /etc/shorewall/ZNCKnock, try changing all instances of > > ''--dport !'' to ''! --dport''. > > And that works. Thank you!You''re welcome. I''ve also updated the Port Knocking HOWTO. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ uberSVN''s rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev