View previous topic :: View next topic |
Author |
Message |
RTFMish n00b
Joined: 10 Jul 2005 Posts: 18
|
Posted: Sun Aug 07, 2005 12:15 am Post subject: |
|
|
lonrot_m wrote: | HI:
I followed everyword of this tutorial but
Code: | etc/init.d/shorewall start
* Starting firewall ... [ !! ]
|
i recieve this when i try to start and like it doesnt return me any error i dont know what to do, by the way there is nothing on /var/log/messages
i am using gentoo sources 2.6.12-r6
thank you |
you need to set a zone in the "zones" file |
|
Back to top |
|
|
sfp-a7x n00b
Joined: 16 Nov 2004 Posts: 47
|
Posted: Wed Aug 10, 2005 6:27 pm Post subject: |
|
|
Why must all the IP tables stuff be compiled into the kernel? Why can't I compile them as modules? |
|
Back to top |
|
|
SchrodingerPenguin n00b
Joined: 08 Jul 2004 Posts: 35 Location: Mandalong, NSW, Australia
|
Posted: Fri Aug 12, 2005 6:48 am Post subject: |
|
|
Sith_Happens,
Thanks heaps for a tutorial which includes the why as well as just the what-to-do. I followed it as written and my firewall worked brilliantly - AND I had the bit of understanding required to then customise it to my requirements.
I had a small bit of trouble when I just upgraded to Shorewall 2.2, and think you should edit the tutorial to include the fact that in newer versions of Shorewall, you must change one of the first lines in /etc/shorewall/shorewall.conf to
Code: |
STARTUP_ENABLED=Yes
|
before the firewall will start up. _________________ 2B or !(2B) |
|
Back to top |
|
|
Zampf n00b
Joined: 02 Sep 2005 Posts: 6
|
Posted: Fri Sep 09, 2005 8:51 pm Post subject: |
|
|
Thanks for this great, simple, tutorial and turning me on to Shorewall -- Iptables can be a royal pain to fudge with by hand.
*bow* |
|
Back to top |
|
|
rek2 Guru
Joined: 05 Jan 2003 Posts: 477 Location: Boston USA/Barcelona Spain
|
|
Back to top |
|
|
asiB4 Guru
Joined: 16 Jan 2006 Posts: 370 Location: Inside the electric circus
|
Posted: Tue Feb 28, 2006 11:46 am Post subject: |
|
|
Yeah...ok, this is an old thread, but I have been looking for a way to "secure" my boxes at home, and this tutorial fit the bill. Everything else I have been trying to experiment with was basically turning my main box into a honeypot, which would be just shooting myself in the foot. Reading the various iptables tutorials online made no sense to me, and frankly made my head hurt. With this tutorial iptables is starting to make a lot more sense to me now! Compiled the kernel with needed support, emerged everything I needed, config'd everything...customized it for what I needed and time will tell whether I was successful or not. Thanks a million!
Chad _________________ Registered Linux User #332738
|
|
Back to top |
|
|
rim n00b
Joined: 16 Apr 2006 Posts: 2
|
Posted: Sun Apr 16, 2006 12:22 pm Post subject: Shorewall ERROR: Traffic Shaping requires mangle support in. |
|
|
Hi,
I am new to Gentoo and forums - so I ask for your patience.
I followed the Shorewall tutotial but upon running the final commands (rc-update etc)
I received the following message:
Error: Traffic shaping requires mangle support in kernel your kernel and iptables
/etc/init.d/shorewall: line 14: 9488 Terminated /sbin/shorewall start >/dev/null
I did amend my kernel as instructed though... Any ideas (please keep jargon to a minimum as I am still learning)
Cheers |
|
Back to top |
|
|
asiB4 Guru
Joined: 16 Jan 2006 Posts: 370 Location: Inside the electric circus
|
Posted: Sun Apr 16, 2006 12:37 pm Post subject: Re: Shorewall ERROR: Traffic Shaping requires mangle support |
|
|
rim wrote: | Hi,
I am new to Gentoo and forums - so I ask for your patience.
I followed the Shorewall tutotial but upon running the final commands (rc-update etc)
I received the following message:
Error: Traffic shaping requires mangle support in kernel your kernel and iptables
/etc/init.d/shorewall: line 14: 9488 Terminated /sbin/shorewall start >/dev/null
I did amend my kernel as instructed though... Any ideas (please keep jargon to a minimum as I am still learning)
Cheers |
Welcome....
in your kernel config you will have had to enabled packet mangling support....
Code: | #make menuconfig
[]Networking --->[]Networking Options --->[]Network packet filtering (replaces ipchains) --->[]IP Netfilter Configuration ---><*>Packet mangling |
...look in /usr/src/linux/.config to verify this has been added...should see an entry similar to...
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_ARP_MANGLE=y
hope that helps... _________________ Registered Linux User #332738
|
|
Back to top |
|
|
rim n00b
Joined: 16 Apr 2006 Posts: 2
|
Posted: Sun Apr 16, 2006 6:03 pm Post subject: |
|
|
Just wanted to thank asiB4 for the help. Works a treat now. Cheers |
|
Back to top |
|
|
manouchk Apprentice
Joined: 08 May 2006 Posts: 288 Location: Vitória (ES), Brasil
|
|
Back to top |
|
|
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Mon Jun 12, 2006 8:34 pm Post subject: |
|
|
Hallo,
I had the same problem as manouchk and rim.
The problem occured after upgrading to gentoo-sources-2.6.16-r9 from gentoo-sources-2.6.14-gentoo-r5.
Actually, the last entry : Code: | IP Tables Support (required for filtering/masq/NAT) |
... quoted at the beggining of the tutorial had disappeared!
Shorewall Tutorial wrote: | Code: | Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<*> Connection tracking (required for masq/NAT)
<*> IP Tables Support (required for filtering/masq/NAT)
***# Include (<*> not <M>) all options and sub options under IP tables*** |
|
However, above "IP: Netfilter Configuration entry"... Code: | Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
---> H E R E !!!
IP: Netfilter Configuration ---> |
...another entry has appeared called
Code: | Core Netfilter Configuration ---> |
Clicking inside I found :
Code: | [ ] Netfilter netlink interface
[*] Netfilter Xtables support (required for ip_tables) |
When I marked it (as shown above), the missing entry...
Code: | <*> IP Tables Support (required for filtering/masq/NAT) |
...appeared again with all the necessary options and sub options at its expected place defined at this tutorial.
Since I did not know why this change has occured and since under...
Code: | [*] Netfilter Xtables support (required for ip_tables) |
...there are some options that reffer to Mangle etc, I have also checked all options and suboptions under it. I am not sure whether this is accurate or not but Shorewall -now- works again as usual.
I hope that I helped somehow.
Kind regards,
orange_juice |
|
Back to top |
|
|
manouchk Apprentice
Joined: 08 May 2006 Posts: 288 Location: Vitória (ES), Brasil
|
Posted: Mon Jun 19, 2006 1:06 pm Post subject: |
|
|
Well find orange_juice! Now it seems to be Okay! Now just configuration problem!
I don't wy I can't ping when shorewall is started?
and I'm having a problem with printing on a windows shared printer of IP 152.84.250.x . ping. I use to be able to print on mandriva usin those 4 rules to accept all traffic from the computer :
ACCEPT net:152.84.250.x fw tcp - - - 2/sec:10
ACCEPT net:152.84.250.x fw udp - - - 2/sec:10
ACCEPT fw net:152.84.250.x tcp -
ACCEPT fw net:152.84.250.x udp -
but it doe not print here
my shorewall conf files are :
[code]
tail -v /etc/shorewall/interfaces;tail -v /etc/shorewall/policy;tail -n 28 -v /etc/shorewall/rules
==> /etc/shorewall/interfaces <==
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
==> /etc/shorewall/policy <==
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
net all DROP info
# LEVEL
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
==> /etc/shorewall/rules <==
ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21 #ftp
ACCEPT fw net tcp 53 #DNS
ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 5190 #AIM/ICQ
ACCEPT fw net tcp 5060 #openwengo
ACCEPT fw net tcp 10600 #openwengo
ACCEPT fw net tcp 10601 #openwengo
ACCEPT net fw tcp 5060 #openwengo
ACCEPT net fw tcp 10600 #openwengo
ACCEPT net fw tcp 10601 #openwengo
ACCEPT net:152.84.250.60 fw tcp - - - 2/sec:10
ACCEPT net:152.84.250.60 fw udp - - - 2/sec:10
ACCEPT fw net:152.84.250.60 tcp -
ACCEPT fw net:152.84.250.60 udp -
ACCEPT net fw udp 6881:6889 -
ACCEPT net fw tcp 22 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[/code
I putted the iptable -L here http://emmanuelfavrenicolin.free.fr//Public/Divers/iptable_out
I think I missed something! |
|
Back to top |
|
|
kbps n00b
Joined: 06 Mar 2006 Posts: 38 Location: Vladivostok, Russia
|
Posted: Tue Jul 04, 2006 8:16 am Post subject: |
|
|
for ping add to "/etc/shorewall/rules"
or
Code: |
ACCEPT net fw icmp 8
ACCEPT fw net icmp 8
|
|
|
Back to top |
|
|
manouchk Apprentice
Joined: 08 May 2006 Posts: 288 Location: Vitória (ES), Brasil
|
Posted: Tue Jul 04, 2006 4:55 pm Post subject: |
|
|
I switched to firestarter which was much easier to deal with. It is very practical (but maybe not as powerfull but my needs are simple, it's just a standalone computer). When the firestarter front-end is started, it shows connection which is very practical for me because I need to print on windows and port changes... so that I can open one more port if printing fails... |
|
Back to top |
|
|
Bizarro n00b
Joined: 18 Jan 2007 Posts: 9
|
Posted: Sun Feb 18, 2007 7:13 am Post subject: |
|
|
I love you
/heh |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Wed May 02, 2007 12:16 pm Post subject: |
|
|
Hello, ok have small problem.
After following guide and trying to start shorewall i get:
Code: |
# /etc/init.d/shorewall start
* Starting firewall ...
ERROR: No ipv4 or ipsec Zones Defined
/sbin/shorewall: line 529: 10386 Terminated $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start |
So edited /etc/shorewall/zones
Code: |
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
|
Restarting firewall gave following message and locked me out for ssh and webmin:
Code: |
/etc/init.d/shorewall restart
* Restarting firewall ...
Shorewall is not running
iptables: Invalid argument
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: Invalid argument
iptables: Invalid argument
/sbin/shorewall: line 786: 11592 Terminated $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
|
shorewall rules
Code: |
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL $
# PORT(S) PORT(S) DEST $
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
#ACCEPT fw net tcp 21 #ftp
#ACCEPT fw net tcp 53 #DNS
#ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 993 #IMAP over SSL
ACCEPT fw net tcp 10000 # webmin ssl
ACCEPT fw net tcp 22 # ssh
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
any ideas
cheers _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
|