Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problems with shorewall-4.5.11.2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Fred Krogh
l33t
l33t


Joined: 07 Feb 2005
Posts: 796
Location: Tujunga, CA

PostPosted: Sat Jan 19, 2013 12:11 am    Post subject: Problems with shorewall-4.5.11.2 Reply with quote

It seems I have a love/hate relationship with shorewall. I get this error
Quote:
iptables: No chain/target/match by that name.
All I have found to account for this kind of error is
Quote:
In this case, the user had compiled his own kernel and had forgotten to include REJECT target support.
But that is not the case for me. So I have backed out of this new shorewall, and reverted to shorewall-4.5.8.2-r1 and shorewall-core-4.5.8.2. But even after doing this and restarting shorewall I get the same error which goes away after rebooting! I'm even more confused that usual and unclear whether the problem is me or something in the new shorewall. I'm curious if anyone might have an idea of what is going on. I'd also be interested to know of others have shorewall-4.5.11.2 working. Thanks,
Fred
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1139
Location: Austria

PostPosted: Mon Jan 21, 2013 10:44 am    Post subject: Reply with quote

What does your kernel configuration file look like (especially the Netfilter Configuration)?
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
Fred Krogh
l33t
l33t


Joined: 07 Feb 2005
Posts: 796
Location: Tujunga, CA

PostPosted: Mon Jan 21, 2013 1:06 pm    Post subject: Reply with quote

Not sure if this gets what you are looking for, but below is the output from
grep -i _nf_ .config|grep -v "#"
Note that CONFIG_IP_NF_TARGET_REJECT=m is 9 lines from the bottom.

Quote:
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_NF_NAT_IPV4=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
Thanks for looking at this.
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1139
Location: Austria

PostPosted: Tue Jan 22, 2013 6:43 am    Post subject: Reply with quote

Have a look at [1] and compare it to your configuration.

[1] http://www.shorewall.net/kernel.htm
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1566
Location: U.S.A.

PostPosted: Thu Jan 24, 2013 10:14 am    Post subject: Reply with quote

Shorewall has an active mailing list where you can get good support.

I've been seeing this same warning, but I think it started with 4.5.8. The firewall tests fine, so I treated it as a harmless glitch and haven't got around to looking into it.
_________________
pjp wrote:
I didn't misquote you, I just misunderstood you.
Back to top
View user's profile Send private message
Climber11
n00b
n00b


Joined: 21 Jun 2005
Posts: 14

PostPosted: Mon Jan 28, 2013 1:42 am    Post subject: Reply with quote

I'd be willing to bet it has something to do with the 3.7.x kernel changes around the NetFilter options. Support for IPv6 was added and the NAT configuration was tweaked as a result. If you downgraded to a 3.6.x kernel, it'd probably be fine; or, compile the NetFilter items into the kernel (rather than as modules). Just learned this after upgrading to 3.7.4 from 3.6.3 when iptables wouldn't start.

I'd bet Shorewall will fix this at some point, but the kernel mods may be ahead of Shorewall's updates.
Back to top
View user's profile Send private message
Bernhard
n00b
n00b


Joined: 12 Jul 2004
Posts: 20

PostPosted: Sat Mar 23, 2013 7:08 pm    Post subject: Reply with quote

Hi,

got a similar error.

Code:

 * Starting firewall ...
   ERROR: Log level INFO requires LOG Target in your kernel and iptables                                     [ !! ]
 * ERROR: shorewall failed to start


But: in .config i got CONFIG_NETFILTER_XT_TARGET_LOG=m
and lsmod shows

Code:

 ~ # lsmod | grep xt_
xt_DSCP                 1404  0
xt_dscp                 1064  0
xt_statistic             844  0
xt_CT                   2383  0
xt_NFLOG                 703  0
nfnetlink_log           5246  1 xt_NFLOG
xt_time                 1460  0
xt_connlimit            2131  0
xt_realm                 600  0
xt_NFQUEUE              1469  0
xt_tcpmss                930  0
xt_tcpudp               1628  0
xt_pkttype               664  0
xt_CLASSIFY              666  0
xt_mark                  734  0
xt_hashlimit            5517  0
xt_comment               580  0
xt_length                765  0
xt_connmark             1226  0
xt_owner                 800  0
xt_iprange              1133  0
xt_physdev              1225  0
xt_policy               1755  0
xt_multiport            1179  0
xt_conntrack            2396  0
nf_conntrack           42376  16 xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_connlimit,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_tftp
x_tables                9145  33 xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_length,xt_comment,ipt_ULOG,xt_policy,ip_tables,xt_tcpmss,xt_tcpudp,ipt_ah,xt_NFQUEUE,xt_NFLOG,xt_owner,xt_realm,xt_connlimit,xt_conntrack,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,iptable_raw


Code:

uname -r
3.7.10-gentoo

shorewall version
4.5.11.2



Any hints?

Thanks Bernhard
_________________
Bernhard Boxhorn
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum