Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] ufw fails requirements check
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
equaeghe
Guru
Guru


Joined: 22 Feb 2005
Posts: 463

PostPosted: Wed Nov 25, 2015 1:12 pm    Post subject: [solved] ufw fails requirements check Reply with quote

I installed ufw and think I set the necessary kernel parameters. However:
Code:
# /usr/share/ufw/check-requirements
Has python: pass (binary: python2.7, version: 2.7.10, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)?
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: iptables: No chain/target/match by that name.
limit: pass
state (NEW): FAIL
error was: iptables: No chain/target/match by that name.
state (RELATED): FAIL
error was: iptables: No chain/target/match by that name.
state (ESTABLISHED): FAIL
error was: iptables: No chain/target/match by that name.
state (INVALID): FAIL
error was: iptables: No chain/target/match by that name.
state (new, recent set): FAIL (no runtime support)
error was: iptables: No chain/target/match by that name.
state (new, recent update): FAIL (no runtime support)
error was: iptables: No chain/target/match by that name.
state (new, limit): FAIL
error was: iptables: No chain/target/match by that name.
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: FAIL
error was: ip6tables: No chain/target/match by that name.
limit: pass
state (NEW): FAIL
error was: ip6tables: No chain/target/match by that name.
state (RELATED): FAIL
error was: ip6tables: No chain/target/match by that name.
state (ESTABLISHED): FAIL
error was: ip6tables: No chain/target/match by that name.
state (INVALID): FAIL
error was: ip6tables: No chain/target/match by that name.
state (new, recent set): FAIL (no runtime support)
error was: ip6tables: No chain/target/match by that name.
state (new, recent update): FAIL (no runtime support)
error was: ip6tables: No chain/target/match by that name.
state (new, limit): FAIL
error was: ip6tables: No chain/target/match by that name.
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

This seems to indicate that hashlimit and some other parameters are not set (which?). But:
Code:
# lsmod | grep hashlimit
xt_hashlimit            7966  0
x_tables               15073  15 ip6table_filter,xt_hl,xt_comment,xt_recent,ip_tables,xt_tcpudp,xt_limit,xt_LOG,xt_hashlimit,xt_multiport,iptable_filter,ipt_REJECT,ip6_tables,xt_addrtype,ip6t_REJECT

So there must be more going on.

I would be grateful for guidance on getting ufw running.

Is there any list of required kernel parameters for ufw?

Perhaps useful:
Code:
# eix -I iptables
[I] net-firewall/iptables
     Available versions:  ~1.4.17 1.4.21-r1 ~1.4.21-r2(0/10) ~1.4.21-r3(0/10) {conntrack ipv6 netlink pcap static-libs}
     Installed versions:  1.4.21-r1(12:39:44 PM 11/25/2015)(ipv6 -conntrack -netlink -static-libs)
     Homepage:            http://www.netfilter.org/projects/iptables/
     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

# eix -I ufw
[I] net-firewall/ufw
     Available versions:  0.34_pre805-r2^t {examples ipv6 PYTHON_TARGETS="python2_7 python3_3 python3_4"}
     Installed versions:  0.34_pre805-r2^t(11:47:52 AM 11/25/2015)(ipv6 -examples PYTHON_TARGETS="python2_7 python3_4 -python3_3")
     Homepage:            https://launchpad.net/ufw
     Description:         A program used to manage a netfilter firewall


Last edited by equaeghe on Mon Jan 11, 2016 10:01 pm; edited 1 time in total
Back to top
View user's profile Send private message
DeIM
Apprentice
Apprentice


Joined: 11 Apr 2006
Posts: 256

PostPosted: Sun Jan 10, 2016 8:03 pm    Post subject: Reply with quote

Hi, I've installed ufw too and tried to run it. Thanks to you I found there is the check script. In my case it printed something similar. I've enabled kernel options by https://wiki.gentoo.org/wiki/Ufw, however the script still failed. So I ticked some more options in kernel by the script fail lines and after few tries all tests passed. The parameters are similar as on failed lines, sometime one kernel parameter makes several test to pass since it is the same "grouped property".
Versions are the same:
Code:
$ eix -I iptables
[I] net-firewall/iptables
     Available versions:  ~1.4.17 1.4.21-r1 ~1.4.21-r2(0/10) ~1.4.21-r3(0/10) ~1.4.21-r4(0/10) ~1.6.0(0/11) {conntrack ipv6 netlink nftables pcap static-libs}
     Installed versions:  1.4.21-r1(16:10:27 15.8.2015)(ipv6 -conntrack -netlink -static-libs)
     Homepage:            http://www.netfilter.org/projects/iptables/
     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

$ eix -I ufw
[I] net-firewall/ufw
     Available versions:  0.34_pre805-r2^t {examples ipv6 PYTHON_TARGETS="python2_7 python3_3 python3_4"}
     Installed versions:  0.34_pre805-r2^t(16:17:52 9.1.2016)(ipv6 -examples PYTHON_TARGETS="python2_7 python3_3 python3_4")
     Homepage:            https://launchpad.net/ufw
     Description:         A program used to manage a netfilter firewall
Back to top
View user's profile Send private message
equaeghe
Guru
Guru


Joined: 22 Feb 2005
Posts: 463

PostPosted: Sun Jan 10, 2016 8:07 pm    Post subject: Reply with quote

DeIM wrote:
Hi, I've installed ufw too and tried to run it. Thanks to you I found there is the check script. In my case it printed something similar. I've enabled kernel options by https://wiki.gentoo.org/wiki/Ufw, however the script still failed. So I ticked some more options in kernel by the script fail lines and after few tries all tests passed. The parameters are similar as on failed lines, sometime one kernel parameter makes several test to pass since it is the same "grouped property".

Any hope that you can recover a list of all the parameters that you activated, a diff of your .config with the one before?
Back to top
View user's profile Send private message
DeIM
Apprentice
Apprentice


Joined: 11 Apr 2006
Posts: 256

PostPosted: Mon Jan 11, 2016 5:02 pm    Post subject: Reply with quote

I recall that I marked in Core Netfilter Configuration this:
Code:
<M> NetBIOS name service protocol support
{M}   "HL" hoplimit target support
*** Xtables matches ***
<M>   "addrtype" address type match support
<M>   "comment" match support
<*>   "conntrack" connection tracking match support
<M>   "hashlimit" match support
{M}   "hl" hoplimit/TTL match support
<M>   "limit" match support
<M>   "recent" match support
<*>   "state" match support

And some in IPv6: Netfilter Configuration
Complete netfilter part of .config is here:
http://pastebin.com/9YNuuL6k
Hope this will help.
Back to top
View user's profile Send private message
equaeghe
Guru
Guru


Joined: 22 Feb 2005
Posts: 463

PostPosted: Mon Jan 11, 2016 9:56 pm    Post subject: Reply with quote

DeIM wrote:
I recall that I marked in Core Netfilter Configuration this:
Code:
<M> NetBIOS name service protocol support
{M}   "HL" hoplimit target support
*** Xtables matches ***
<M>   "addrtype" address type match support
<M>   "comment" match support
<*>   "conntrack" connection tracking match support
<M>   "hashlimit" match support
{M}   "hl" hoplimit/TTL match support
<M>   "limit" match support
<M>   "recent" match support
<*>   "state" match support

And some in IPv6: Netfilter Configuration
Complete netfilter part of .config is here:
http://pastebin.com/9YNuuL6k
Hope this will help.

Yes, thanks! I added ip4 conntrack, mangling (in support of), hl support.

Now the checks pass. Trying out will wait for another day.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum