Shorewall users - Mar 2012 - Possible bug with shorewall 4.5.0.1

Hi, I have a problem using "shorewall restart" with shorewall 4.5.0.1
on
kernel 3.2.10, iptables 1.4.12.1

Shorewall starts correctly at boot time, but then a restart triggers error:

Initializing...
Processing /etc/shorewall/init ...
Command: restart
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Setting up Traffic Control...
Preparing iptables-restore input...
Running debug_restore_input...
iptables: Chain already exists.
    ERROR: Command "/sbin/iptables :eth0_masq - [0:0]" Failed
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Running debug_restore_input...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated


Running shorewall stop & clear, then "shorewall show nat" shows
lots of
chains, eg small sample:

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               
destination
     1    76 eth0_masq  all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0
     0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0
     0     0 eth2_masq  all  --  *      eth2    0.0.0.0/0            
0.0.0.0/0
     0     0 eth3_masq  all  --  *      eth3    0.0.0.0/0            
0.0.0.0/0
     0     0 wlan1_masq  all  --  *      wlan1   0.0.0.0/0            
0.0.0.0/0
     0     0 wlan2_masq  all  --  *      wlan2   0.0.0.0/0            
0.0.0.0/0
     0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            
0.0.0.0/0
     0     0 ppp1_masq  all  --  *      ppp1    0.0.0.0/0            
0.0.0.0/0
     0     0 ppp2_masq  all  --  *      ppp2    0.0.0.0/0            
0.0.0.0/0
     0     0 ppp3_masq  all  --  *      ppp3    0.0.0.0/0            
0.0.0.0/0
     1    76 ppp10_masq  all  --  *      ppp10   0.0.0.0/0            
0.0.0.0/0
     0     0 ppp11_masq  all  --  *      ppp11   0.0.0.0/0            
0.0.0.0/0
     0     0 ppp12_masq  all  --  *      ppp12   0.0.0.0/0            
0.0.0.0/0
     0     0 ppp13_masq  all  --  *      ppp13   0.0.0.0/0            
0.0.0.0/0

Chain eth0_masq (1 references)
  pkts bytes target     prot opt in     out     source               
destination
     1    76 MASQUERADE  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain eth1_masq (1 references)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
...


If I clear these manually "iptables -t nat -X", then shorewall starts
up
without an error


Further, if I add a DNAT rule, eg:
REDIRECT        loc             8000            tcp     80      -

Then the error changes to:

iptables: Chain already exists.
    ERROR: Command "/sbin/iptables :dnat - [0:0]" Failed


However, it still seems to be a nat table issue and is resolved by 
manually clearing the NAT table with iptables (shorewall clear doesn''t 
do it)

Grateful for any suggestions?

Thanks

Ed W

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 09:36 AM, Ed W wrote:
> Hi, I have a problem using "shorewall restart" with shorewall
4.5.0.1 on
> kernel 3.2.10, iptables 1.4.12.1
> 
> Shorewall starts correctly at boot time, but then a restart triggers error:
> 
> Initializing...
> Processing /etc/shorewall/init ...
> Command: restart
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Adding Providers...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running debug_restore_input...
> iptables: Chain already exists.
>     ERROR: Command "/sbin/iptables :eth0_masq - [0:0]" Failed
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/tcclear ...
> Running debug_restore_input...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
> 
> 
> Running shorewall stop & clear, then "shorewall show nat"
shows lots of
> chains, eg small sample:
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source               
> destination
>      1    76 eth0_masq  all  --  *      eth0    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth2_masq  all  --  *      eth2    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth3_masq  all  --  *      eth3    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 wlan1_masq  all  --  *      wlan1   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 wlan2_masq  all  --  *      wlan2   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp1_masq  all  --  *      ppp1    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp2_masq  all  --  *      ppp2    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp3_masq  all  --  *      ppp3    0.0.0.0/0            
> 0.0.0.0/0
>      1    76 ppp10_masq  all  --  *      ppp10   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp11_masq  all  --  *      ppp11   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp12_masq  all  --  *      ppp12   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp13_masq  all  --  *      ppp13   0.0.0.0/0            
> 0.0.0.0/0
> 
> Chain eth0_masq (1 references)
>   pkts bytes target     prot opt in     out     source               
> destination
>      1    76 MASQUERADE  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> 
> Chain eth1_masq (1 references)
>   pkts bytes target     prot opt in     out     source               
> destination
>      0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> ...
> 
> 
> If I clear these manually "iptables -t nat -X", then shorewall
starts up
> without an error
> 
> 
> Further, if I add a DNAT rule, eg:
> REDIRECT        loc             8000            tcp     80      -
> 
> Then the error changes to:
> 
> iptables: Chain already exists.
>     ERROR: Command "/sbin/iptables :dnat - [0:0]" Failed
> 
> 
> However, it still seems to be a nat table issue and is resolved by 
> manually clearing the NAT table with iptables (shorewall clear
doesn''t
> do it)
> 
> Grateful for any suggestions?
Which version were you running previously that didn''t show this
problem?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 09:36 AM, Ed W wrote:
> Hi, I have a problem using "shorewall restart" with shorewall
4.5.0.1 on
> kernel 3.2.10, iptables 1.4.12.1
> 
> Shorewall starts correctly at boot time, but then a restart triggers error:
> 
> Initializing...
> Processing /etc/shorewall/init ...
> Command: restart
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Adding Providers...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running debug_restore_input...
> iptables: Chain already exists.
>     ERROR: Command "/sbin/iptables :eth0_masq - [0:0]" Failed
> Processing /etc/shorewall/stop ...
> Processing /etc/shorewall/tcclear ...
> Running debug_restore_input...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
> 
> 
> Running shorewall stop & clear, then "shorewall show nat"
shows lots of
> chains, eg small sample:
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source               
> destination
>      1    76 eth0_masq  all  --  *      eth0    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth2_masq  all  --  *      eth2    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 eth3_masq  all  --  *      eth3    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 wlan1_masq  all  --  *      wlan1   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 wlan2_masq  all  --  *      wlan2   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp1_masq  all  --  *      ppp1    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp2_masq  all  --  *      ppp2    0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp3_masq  all  --  *      ppp3    0.0.0.0/0            
> 0.0.0.0/0
>      1    76 ppp10_masq  all  --  *      ppp10   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp11_masq  all  --  *      ppp11   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp12_masq  all  --  *      ppp12   0.0.0.0/0            
> 0.0.0.0/0
>      0     0 ppp13_masq  all  --  *      ppp13   0.0.0.0/0            
> 0.0.0.0/0
> 
> Chain eth0_masq (1 references)
>   pkts bytes target     prot opt in     out     source               
> destination
>      1    76 MASQUERADE  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> 
> Chain eth1_masq (1 references)
>   pkts bytes target     prot opt in     out     source               
> destination
>      0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> ...
> 
> 
> If I clear these manually "iptables -t nat -X", then shorewall
starts up
> without an error
> 
> 
> Further, if I add a DNAT rule, eg:
> REDIRECT        loc             8000            tcp     80      -
> 
> Then the error changes to:
> 
> iptables: Chain already exists.
>     ERROR: Command "/sbin/iptables :dnat - [0:0]" Failed
> 
> 
> However, it still seems to be a nat table issue and is resolved by 
> manually clearing the NAT table with iptables (shorewall clear
doesn''t
> do it)
> 
> Grateful for any suggestions?
> 
In the generated firewall script, there is a function named
"stop_firewall()". In that function is the input passed to
iptables-restore when stopping the firewall. It should contain:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

Those 5 lines should be clearing the NAT table during ''shorewall
stop''.
Does your generated script contain those 5 lines?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

> In the generated firewall script, there is a function named
> "stop_firewall()". In that function is the input passed to
> iptables-restore when stopping the firewall. It should contain:
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
>
> Those 5 lines should be clearing the NAT table during ''shorewall
stop''.
> Does your generated script contain those 5 lines?
>
Hi, I don''t recall the previous exact version now, I could pull it from
my build scripts, but it''s a 4.4 around 2-4 months old.

Right now I have the following (shall I build a minimal failing case and 
email the config?)

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:eth1_masq - [0:0]
:eth2_masq - [0:0]
:eth3_masq - [0:0]
:ppp0_masq - [0:0]
:ppp10_masq - [0:0]
:ppp11_masq - [0:0]
:ppp12_masq - [0:0]
:ppp13_masq - [0:0]
:ppp1_masq - [0:0]
:ppp2_masq - [0:0]
:ppp3_masq - [0:0]
:wlan1_masq - [0:0]
:wlan2_masq - [0:0]
-A POSTROUTING -o eth1 -j eth1_masq
-A POSTROUTING -o eth2 -j eth2_masq
-A POSTROUTING -o eth3 -j eth3_masq
-A POSTROUTING -o wlan1 -j wlan1_masq
-A POSTROUTING -o wlan2 -j wlan2_masq
-A POSTROUTING -o ppp0 -j ppp0_masq
-A POSTROUTING -o ppp1 -j ppp1_masq
-A POSTROUTING -o ppp2 -j ppp2_masq
-A POSTROUTING -o ppp3 -j ppp3_masq
-A POSTROUTING -o ppp10 -j ppp10_masq
-A POSTROUTING -o ppp11 -j ppp11_masq
-A POSTROUTING -o ppp12 -j ppp12_masq
-A POSTROUTING -o ppp13 -j ppp13_masq
-A eth1_masq -j MASQUERADE
-A eth2_masq -j MASQUERADE
-A eth3_masq -j MASQUERADE
-A ppp0_masq -j MASQUERADE
-A ppp10_masq -j MASQUERADE
-A ppp11_masq -j MASQUERADE
-A ppp12_masq -j MASQUERADE
-A ppp13_masq -j MASQUERADE
-A ppp1_masq -j MASQUERADE
-A ppp2_masq -j MASQUERADE
-A ppp3_masq -j MASQUERADE
-A wlan1_masq -j MASQUERADE
-A wlan2_masq -j MASQUERADE
COMMIT

Thanks

Ed W

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 12:11 PM, Ed W wrote:
> 
>> In the generated firewall script, there is a function named
>> "stop_firewall()". In that function is the input passed to
>> iptables-restore when stopping the firewall. It should contain:
>>
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> COMMIT
>>
>> Those 5 lines should be clearing the NAT table during
''shorewall stop''.
>> Does your generated script contain those 5 lines?
>>
> 
> Hi, I don''t recall the previous exact version now, I could pull it
from
> my build scripts, but it''s a 4.4 around 2-4 months old.
> 
> Right now I have the following (shall I build a minimal failing case and 
> email the config?)
Be sure to send a capabilities file as well.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

Hi
>> Right now I have the following (shall I build a minimal failing case
and
>> email the config?)
> Be sure to send a capabilities file as well.
Near as I can tell, a very minimal rule and masq is triggering this.  I 
do have an unusual interfaces file though?


Minimal config here:
     http://www.mailasail.com/w/uploads/Support/shorewall.broken.tar.gz

Capabilities here:
$ shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Extended Multi-port Match: Available
    Connection Tracking Match: Available
    Extended Connection Tracking Match Support: Available
    Packet Type Match: Available
    Policy Match: Available
    Physdev Match: Available
    Physdev-is-bridged Support: Available
    Packet length Match: Available
    IP range Match: Available
    Recent Match: Available
    Owner Match: Available
    Ipset Match: Available
    CONNMARK Target: Available
    Extended CONNMARK Target: Available
    Connmark Match: Available
    Extended Connmark Match: Available
    Raw Table: Available
    Rawpost Table: Not available
    IPP2P Match: Available
    CLASSIFY Target: Available
    Extended REJECT: Available
    Repeat match: Available
    MARK Target: Available
    Extended MARK Target: Available
    Extended MARK Target 2: Available
    Mangle FORWARD Chain: Available
    Comments: Available
    Address Type Match: Available
    TCPMSS Match: Available
    Hashlimit Match: Available
    NFQUEUE Target: Available
    Realm Match: Available
    Helper Match: Available
    Connlimit Match: Available
    Time Match: Available
    Goto Support: Available
    LOGMARK Target: Available
    IPMARK Target: Available
    LOG Target: Available
    ULOG Target: Not available
    NFLOG Target: Available
    Persistent SNAT: Available
    TPROXY Target: Available
    FLOW Classifier: Available
    fwmark route mask: Available
    Mark in any table: Available
    Header Match: Not available
    ACCOUNT Target: Available
    AUDIT Target: Available
    ipset V5: Available
    Condition Match: Not available
    Statistic Match: Available
    IMQ Target: Not available
    iptables -S: Available
    Basic Filter: Available
    CT Target: Available

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 12:36 PM, Ed W wrote:
> Hi
> 
>>> Right now I have the following (shall I build a minimal failing
case and
>>> email the config?)
>> Be sure to send a capabilities file as well.
> 
> Near as I can tell, a very minimal rule and masq is triggering this.  I 
> do have an unusual interfaces file though?
> 
> 
> Minimal config here:
>      http://www.mailasail.com/w/uploads/Support/shorewall.broken.tar.gz
> 
> Capabilities here:
> $ shorewall show capabilities
Ed,

Please:

	shorewall show -f capabilities > capabilities

and send me the capabilties file.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 12:43 PM, Tom Eastep wrote:
> On 03/05/2012 12:36 PM, Ed W wrote:
>> Hi
>>
>>>> Right now I have the following (shall I build a minimal failing
case and
>>>> email the config?)
>>> Be sure to send a capabilities file as well.
>>
>> Near as I can tell, a very minimal rule and masq is triggering this.  I
>> do have an unusual interfaces file though?
>>
>>
>> Minimal config here:
>>      http://www.mailasail.com/w/uploads/Support/shorewall.broken.tar.gz
>>
>> Capabilities here:
>> $ shorewall show capabilities
> 
> Ed,
> 
> Please:
> 
> 	shorewall show -f capabilities > capabilities
> 
> and send me the capabilties file.
> 
Also, please send the accompanying params file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 03/05/2012 12:36 PM, Ed W wrote:
> Hi
> 
>>> Right now I have the following (shall I build a minimal failing
case and
>>> email the config?)
>> Be sure to send a capabilities file as well.
> 
> Near as I can tell, a very minimal rule and masq is triggering this.  I 
> do have an unusual interfaces file though?
> 
> 
> Minimal config here:
>      http://www.mailasail.com/w/uploads/Support/shorewall.broken.tar.gz
> 
a) I took the above configuration and added the attached capabilities
file which I think matches your system.

b) I set CONFIG_PATH="/usr/share/shorewall" so as not to include
anything from /etc/shorewall/

c) I added this single entry to the params file:

	LOC_IF=br0

The compiled firewall script contains this ruleset for stopping the
firewall:

#
# Generated by Shorewall 4.5.0.1 - Mon Mar  5 13:03:19 2012
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
COMMIT

So I am clearly not able to reproduce the problem with the information
provided.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 3/5/12 1:07 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 03/05/2012 12:36 PM, Ed W wrote:
>> Hi
>> 
>>>> Right now I have the following (shall I build a minimal failing
case
>>>>and
>>>> email the config?)
>>> Be sure to send a capabilities file as well.
>> 
>> Near as I can tell, a very minimal rule and masq is triggering this.  I
>> do have an unusual interfaces file though?
>> 
>> 
>> Minimal config here:
>>      http://www.mailasail.com/w/uploads/Support/shorewall.broken.tar.gz
>> 
>
>a) I took the above configuration and added the attached capabilities
>file which I think matches your system.
>
>b) I set CONFIG_PATH="/usr/share/shorewall" so as not to include
>anything from /etc/shorewall/
>
>c) I added this single entry to the params file:
>
>	LOC_IF=br0
>
>The compiled firewall script contains this ruleset for stopping the
>firewall:
>
>#
># Generated by Shorewall 4.5.0.1 - Mon Mar  5 13:03:19 2012
>#
>*raw
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>COMMIT
>*nat
>:PREROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:POSTROUTING ACCEPT [0:0]
>COMMIT
>*mangle
>:PREROUTING ACCEPT [0:0]
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:POSTROUTING ACCEPT [0:0]
>COMMIT
>*filter
>:INPUT DROP [0:0]
>:FORWARD DROP [0:0]
>:OUTPUT ACCEPT [0:0]
>-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>-A INPUT -i br0 -j ACCEPT
>-A INPUT -i lo -j ACCEPT
>-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>-A FORWARD -i br0 -o br0 -j ACCEPT
>COMMIT
>
>So I am clearly not able to reproduce the problem with the information
>provided.
>\
The problem was traced to Ed''s params file which contained DEBUG=0.
Will
be corrected in the next 4.5.1 Beta or RC.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
www.shorewall.net    \________________________________________________







------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2