Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Can't configure Firewall due to kernel issue?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 777
Location: Tokyo, Japan

PostPosted: Mon Aug 19, 2013 4:19 am    Post subject: Can't configure Firewall due to kernel issue? Reply with quote

Going crazy.

Before going into details I all want to do is open port 22 or 2222 so that I can ssh into my Gentoo box and it has proven more difficult than it should be.


Issue 1:
I installed UFW and tried the GUI's kcm-ufw, ufw-frontends, as well as Fwbuilder. All of them would not let me activate the firewall (I believe iptables is the underlying firewall) and would also indicate the firewall isn't active. But I noticed no network traffic was coming in or out so checked UFW from the CLI and it was active. If I disable it then traffic resumes so clearly it is working at some level even if the GUI's can't talk to it.

Issue 2:
So I check any messages for UFW or iptables and there are some kernel options that need to be configured. http://wiki.gentoo.org/wiki/Iptables I add them all, recompile, and behaviour is the same. Not even sure if they are even related to the problem to be honest. Anyway, re-install UFW in the hopes that would do something but now when issuing
Code:
ufw enable
get the error message
Quote:

ERROR: problem running ufw-init
modprobe: FATAL: Module nf_nat_ftp not found.
iptables-restore: line 69 failed
iptables-restore: line 30 failed
iptables-restore: line 31 failed
ip6tables-restore: line 31 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/user/user.rules'
Problem running '/etc/ufw/user/user6.rules'


but strangely enough the firewall is enabled and all network traffic is stopped until I run ufw disable.

Mod probe nf_nat_ftp and get
Quote:
modprobe: FATAL: Module nf_nat_ftp not found
.

So now I am trying to find where nf_nat_ftp is in the kernel.

Issue 3:

Can't find it for my life. If I search for it I only get
Quote:
Symbol: NF_NAT_FTP [=n] │
│ Type : tristate
which doesn't show any path to where it lives in the config. I found this on Google
Quote:
NF_NAT_FTP found in net/netfilter/Kconfig

The configuration item CONFIG_NF_NAT_FTP:

prompt:
type: tristate
depends on: CONFIG_NF_CONNTRACK && CONFIG_NF_NAT
defined in net/netfilter/Kconfig
found in Linux kernels: 3.7–3.10, 3.11-rc+HEAD
modules built: nf_nat_ftp, nf_nat_ftp


I'm on kernel 3.8.13 so it should be there but I don't have Kconfig anywhere???!!! Once again I am not sure if the fact that this kernel option not being active is the cause of my problem or will solve it because clearly the firewall is activated when I issue the enable command.

I just need a way to open that port.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Aug 19, 2013 8:23 am    Post subject: Reply with quote

In kernel 3.10.7:
Code:
Symbol: NF_NAT_FTP [=y]                                             
Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y] && NF_NAT [=y]


Check that "Depends" line carefully. You probably don't have NF_NAT.

UFW is for Ubuntu users ;) I'd recommend Gentoo users to use iptables itself.
Back to top
View user's profile Send private message
Goverp
Veteran
Veteran


Joined: 07 Mar 2007
Posts: 1966

PostPosted: Mon Aug 19, 2013 8:34 am    Post subject: Reply with quote

Have you followed the UFW installation insructions - i.e. added the ufw service to the default runlevel?
Also, did you run the configuration checker, /usr/share/ufw/check-requirements, and follow its recommendations?
These are mentioned in the ebuild messages.

UFW needs several kernel netfilter configuration options set; if you miss them, it won't start. One approach is simply to make modules for all the netfilter configuration options, and let UFW load what it wants to meet your particular firewall configuration.

I've used UFW for some time. Apart from needing to keep up with its netfilter requirements, it's been a lot simpler than guessing how to configure iptables et al.
_________________
Greybeard
Back to top
View user's profile Send private message
CleanTestr
n00b
n00b


Joined: 15 Jan 2013
Posts: 47
Location: somewhere in Rural Nebraska, USA

PostPosted: Wed Aug 21, 2013 7:17 am    Post subject: Reply with quote

a) Upon emerge ufw, I get:
Code:
* Note: once enabled, ufw blocks also incoming SSH connections by
* default. See README, Remote Management section for more information.


b) a quick search of the Internet yields a page which states it can do:
Code:
Status:
activeTo      Action   From
--------      ------   ----
OpenSSH       LIMIT    Anywhere


That page is blog:UFW with Fail2ban

They'll tell you why you don't want SSH port open for server use. They'll also
tell you how to selectively enable/disable it.

If you wanted to use just iptables w/o ufw,

c) You write:
Quote:
Issue 3:

Can't find it for my life. If I search for it I only get
Quote:
Symbol: NF_NAT_FTP [=n] │
│ Type : tristate
which doesn't show any path to where it lives in the config.


The: NF_NAT_FTP [=n] means NAT isn't compiled into the kernel.
Go back and set it to [*] and try again.

Using the tool grep on your kernel config:

zgrep NAT /proc/config.gz

d) Alternatively, since more information is better than less, could you (please)
Code:
emerge wgetpaste
zcat /proc/config.gz > _fool
wgetpaste _fool


and put the resulting URL into a [ url = :URL: ] config.gz [ / url ] BBCode?
_________________
Stan: A signal? Why didn't you wake me?
790: It was a distress signal. They only lead to trouble, so I always ignore them. --Lexx
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 777
Location: Tokyo, Japan

PostPosted: Mon Aug 26, 2013 1:52 am    Post subject: Reply with quote

CleanTestr wrote:
a) Upon emerge ufw, I get:
Code:
* Note: once enabled, ufw blocks also incoming SSH connections by
* default. See README, Remote Management section for more information.


b) a quick search of the Internet yields a page which states it can do:
Code:
Status:
activeTo      Action   From
--------      ------   ----
OpenSSH       LIMIT    Anywhere


That page is blog:UFW with Fail2ban

They'll tell you why you don't want SSH port open for server use. They'll also
tell you how to selectively enable/disable it.

If you wanted to use just iptables w/o ufw,

c) You write:
Quote:
Issue 3:

Can't find it for my life. If I search for it I only get
Quote:
Symbol: NF_NAT_FTP [=n] │
│ Type : tristate
which doesn't show any path to where it lives in the config.


The: NF_NAT_FTP [=n] means NAT isn't compiled into the kernel.
Go back and set it to [*] and try again.

Using the tool grep on your kernel config:

zgrep NAT /proc/config.gz

d) Alternatively, since more information is better than less, could you (please)
Code:
emerge wgetpaste
zcat /proc/config.gz > _fool
wgetpaste _fool


and put the resulting URL into a [ url = :URL: ] config.gz [ / url ] BBCode?


Thanks for all the good info folks. STill struggling with this. Really annoying to tell the truth. I may be a dunce but it really shouldn't be this diffcult to open a port. I am not even on a hardened version of Gentoo so not sure even why it is closed.

Anyway, I would add one thing. What I meant is that I can't find where NF_NAT_FTP lives in the kernel config.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Aug 26, 2013 4:39 am    Post subject: Reply with quote

You won't find NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT.
Back to top
View user's profile Send private message
Budoka
l33t
l33t


Joined: 03 Jun 2012
Posts: 777
Location: Tokyo, Japan

PostPosted: Mon Aug 26, 2013 4:41 am    Post subject: Reply with quote

PaulBredbury wrote:
You won't find NF_NAT_FTP until you've enabled its prerequisites, e.g. NF_NAT.

OK. I'll check again. But why isn't it outlined in the iptables wiki? I enabled everything in the kernel that page requested.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Aug 26, 2013 7:11 am    Post subject: Reply with quote

Probably the wiki is just slightly out-of-date, due to the kernel changing its deps.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum