Shorewall users - Jun 2012 - Error when upgrade from shorewall-4.4.13-3 to shorewall-4.5.2.3-1

Dear All,

I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on CentOS,
after upgrade i can''t start shorewall with this message:

"/Shorewall: Address Ranges require the Multiple Match capability in 
your kernel and iptables/"

I try to search on the net about this, but no still no light. Somebody 
can help me?


Great appreciate for any help.


Regards,


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 06/05/2012 11:12 PM, heriyanto wrote:
> Dear All,
>
> I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on CentOS,
> after upgrade i can''t start shorewall with this message:
>
> "/Shorewall: Address Ranges require the Multiple Match capability in
> your kernel and iptables/"
>
> I try to search on the net about this, but no still no light. Somebody
> can help me?
The attached patch should allow you to work around the problem:

	patch /usr/share/shorewall/Shorewall/Chains.pm < IPRANGE.patch

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Patch is work thank you very much. There is any release for this version?

On 06/06/2012 09:35 PM, Tom Eastep wrote:
> On 06/05/2012 11:12 PM, heriyanto wrote:
>> Dear All,
>>
>> I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on
CentOS,
>> after upgrade i can''t start shorewall with this message:
>>
>> "/Shorewall: Address Ranges require the Multiple Match capability
in
>> your kernel and iptables/"
>>
>> I try to search on the net about this, but no still no light. Somebody
>> can help me?
>
> The attached patch should allow you to work around the problem:
>
>     patch /usr/share/shorewall/Shorewall/Chains.pm < IPRANGE.patch
>
> -Tom
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 06/06/2012 11:35 PM, heriyanto wrote:
> Patch is work thank you very much. There is any release for this version?
>
A cleaner patch is included in 4.5.5 RC 1 which was uploaded yesterday. 
It will also be included in 4.5.4.2 which will be released shortly.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

in version 4.4.13-3 i using format dmz 192.168.0.1-192.168.0.99 for
content hosts file.
after i upgrade to 4.5.2.3-1 its cannot do restart, show error message
like on bellow.
With patch that you attach, error message disappear. But when i try to
test my network,
but now new issue come sfilter always drop my packet that list on host file.
even i try to modify using dmz 192.168.0.1,192.168.0.2,192.168.0.3,etc
in hosts file.

sfilter:DROP:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth1
sfilter:DROP:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=tap0



Thanks
Best regards,
Heriyanto

On 06/06/2012 09:35 PM, Tom Eastep wrote:
> On 06/05/2012 11:12 PM, heriyanto wrote:
>> Dear All,
>>
>> I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on
CentOS,
>> after upgrade i can''t start shorewall with this message:
>>
>> "/Shorewall: Address Ranges require the Multiple Match capability
in
>> your kernel and iptables/"
>>
>> I try to search on the net about this, but no still no light. Somebody
>> can help me?
>
> The attached patch should allow you to work around the problem:
>
>     patch /usr/share/shorewall/Shorewall/Chains.pm < IPRANGE.patch
>
> -Tom
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/29/2012 08:43 PM, heriyanto wrote:
> in version 4.4.13-3 i using format dmz 192.168.0.1-192.168.0.99 for
> content hosts file.
> after i upgrade to 4.5.2.3-1 its cannot do restart, show error message
> like on bellow.
> With patch that you attach, error message disappear. But when i try to
> test my network,
> but now new issue come sfilter always drop my packet that list on host
file.
> even i try to modify using dmz 192.168.0.1,192.168.0.2,192.168.0.3,etc
> in hosts file.
> 
> sfilter:DROP:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth1
> sfilter:DROP:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=tap0
> 
> 
Set the ''routeback'' option on br0 in
/etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/