**SUPPORT** Personal Firewall with Shorewall Tutorial

Message

Sith_Happens · Post by **Sith_Happens** » Tue Jun 21, 2005 4:07 pm

What about my second question?

Sith_Happens wrote:Also are you behind a router/firewall or a modem that you connect to via a network cable?

Sith_Happens · Post by **Sith_Happens** » Tue Jun 21, 2005 4:08 pm

The Shoreline Firewall v. 2.2.3 is now stable in portage. I'll be updating the guide soon to reflect the changes in this version.

<3 · Post by <3 » Tue Jun 21, 2005 8:55 pm

Sith_Happens wrote:What about my second question?
Sith_Happens wrote:Also are you behind a router/firewall or a modem that you connect to via a network cable?

Sorry about not including that in my original post. And Thanks for taking the time to help me with my problem.

To answer your question, I am neither behind a firewall nor a router. My computer is connected from my ethernet card directly into my cable modem which is plugged directly into the cable line.

Sith_Happens · Post by **Sith_Happens** » Wed Jun 22, 2005 5:20 pm

<3 wrote:
Sith_Happens wrote:What about my second question?
Sith_Happens wrote:Also are you behind a router/firewall or a modem that you connect to via a network cable?
Sorry about not including that in my original post. And Thanks for taking the time to help me with my problem.

To answer your question, I am neither behind a firewall nor a router. My computer is connected from my ethernet card directly into my cable modem which is plugged directly into the cable line.

Thats your problem. If you are connected to the cable modem via your ethernet card, then your modem is also acting as a router. The portscan is reading the ports on your modem, not your computer. You can probably connect to the modem and configure it to block those ports, but you'll have to read the manual that came with your modem to determine that.

<3 · Post by <3 » Thu Jun 23, 2005 5:17 am

Thank you for your help

Bob P · Post by **Bob P** » Thu Jun 23, 2005 7:46 pm

hmmmm. upgraded shorewall and now i'm getting this error at bootup:

Code: Select all

* Starting firewall ...
   Error: No Zones Defined
/etc/init.dshorewall:  line 13:  9278 Terminated             /sbin/shorewall start >/dev/null

fwiw, the zone appears to be configured in my interfaces file, but not in the zones file:

Code: Select all

 # cat interfaces

# Shorewall 2.0 -- Interfaces File
#
# /etc/shorewall/interfaces
#
#       You must add an entry in this file for each network interface on your
#       firewall system.
#
# Columns are:
#
#       ZONE            Zone for this interface. Must match the short name
#                       of a zone defined in /etc/shorewall/zones.
#
#                       If the interface serves multiple zones that will be
#                       defined in the /etc/shorewall/hosts file, you should
#                       place "-" in this column.
#
#       INTERFACE       Name of interface. Each interface may be listed only
#                       once in this file. You may NOT specify the name of
#                       an alias (e.g., eth0:0) here; see
#                       http://www.shorewall.net/FAQ.htm#faq18
#
#                       You may specify wildcards here. For example, if you
#                       want to make an entry that applies to all PPP
#                       interfaces, use 'ppp+'.
#
#                       There is no need to define the loopback interface (lo)
#                       in this file.
#
#       BROADCAST       The broadcast address for the subnetwork to which the
#                       interface belongs. For P-T-P interfaces, this
#                       column is left black.If the interface has multiple
#                       addresses on multiple subnets then list the broadcast
#                       addresses as a comma-separated list.
#
#                       If you use the special value "detect", the firewall
#                       will detect the broadcast address for you. If you
#                       select this option, the interface must be up before
#                       the firewall is started, you must have iproute
#                       installed.
#
#                       If you don't want to give a value for this column but
#                       you want to enter a value in the OPTIONS column, enter
#                       "-" in this column.
#
#       OPTIONS         A comma-separated list of options including the
#                       following:
#
#                       dhcp         - Specify this option when any of
#                                      the following are true:
#                                      1. the interface gets its IP address
#                                         via DHCP
#                                      2. the interface is used by
#                                         a DHCP server running on the firewall
#                                      3. you have a static IP but are on a LAN
#                                         segment with lots of Laptop DHCP
#                                         clients.
#                                      4. the interface is a bridge with
#                                         a DHCP server on one port and DHCP
#                                         clients on another port.
#
#                       norfc1918    - This interface should not receive
#                                      any packets whose source is in one
#                                      of the ranges reserved by RFC 1918
#                                      (i.e., private or "non-routable"
#                                      addresses. If packet mangling or
#                                      connection-tracking match is enabled in
#                                      your kernel, packets whose destination
#                                      addresses are reserved by RFC 1918 are
#                                      also rejected.
#
#                       nobogons    -  This interface should not receive
#                                      any packets whose source is in one
#                                      of the ranges reserved by IANA (this
#                                      option does not cover those ranges
#                                      reserved by RFC 1918 -- see above).
#
#                       routefilter  - turn on kernel route filtering for this
#                                      interface (anti-spoofing measure). This
#                                      option can also be enabled globally in
#                                      the /etc/shorewall/shorewall.conf file.
#
#       .       .       blacklist    - Check packets arriving on this interface
#                                      against the /etc/shorewall/blacklist
#                                      file.
#
#                       maclist      - Connection requests from this interface
#                                      are compared against the contents of
#                                      /etc/shorewall/maclist. If this option
#                                      is specified, the interface must be
#                                      an ethernet NIC and must be up before
#                                      Shorewall is started.
#
#                       tcpflags     - Packets arriving on this interface are
#                                      checked for certain illegal combinations
#                                      of TCP flags. Packets found to have
#                                      such a combination of flags are handled
#                                      according to the setting of
#                                      TCP_FLAGS_DISPOSITION after having been
#                                      logged according to the setting of
#                                      TCP_FLAGS_LOG_LEVEL.
#
#                       proxyarp     -
#                               Sets
#                               /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#                               Do NOT use this option if you are
#                               employing Proxy ARP through entries in
#                               /etc/shorewall/proxyarp. This option is
#                               intended soley for use with Proxy ARP
#                               sub-networking as described at:
#                               http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#                       newnotsyn    - TCP packets that don't have the SYN
#                                      flag set and which are not part of an
#                                      established connection will be accepted
#                                      from this interface, even if
#                                      NEWNOTSYN=No has been specified in
#                                      /etc/shorewall/shorewall.conf. In other
#                                      words, packets coming in on this interface
#                                      are processed as if NEWNOTSYN=Yes had been
#                                      specified in /etc/shorewall/shorewall.conf.
#
#                                      This option has no effect if
#                                      NEWNOTSYN=Yes.
#
#                                      It is the opinion of the author that
#                                      NEWNOTSYN=No creates more problems than
#                                      it solves and I recommend against using
#                                      that setting in shorewall.conf (hence
#                                      making the use of the 'newnotsyn'
#                                      interface option unnecessary).
#
#                       routeback    - If specified, indicates that Shorewall
#                                      should include rules that allow filtering
#                                      traffic arriving on this interface back
#                                      out that same interface.
#
#                       arp_filter   - If specified, this interface will only
#                                      respond to ARP who-has requests for IP
#                                      addresses configured on the interface.
#                                      If not specified, the interface can
#                                      respond to ARP who-has requests for
#                                      IP addresses on any of the firewall's
#                                      interface. The interface must be up
#                                      when Shorewall is started.
#
#                       nosmurfs     - Filter packets for smurfs
#                                      (packets with a broadcast
#                                      address as the source).
#
#                                      Smurfs will be optionally logged based
#                                      on the setting of SMURF_LOG_LEVEL in
#                                      shorewall.conf. After logging, the
#                                      packets are dropped.
#
#                       detectnets   - Automatically taylors the zone named
#                                      in the ZONE column to include only those
#                                      hosts routed through the interface.
#
#                       WARNING: DO NOT SET THE detectnets OPTION ON YOUR
#                                INTERNET INTERFACE.
#
#                       The order in which you list the options is not
#                       significant but the list should have no embedded white
#                       space.
#
#       Example 1:      Suppose you have eth0 connected to a DSL modem and
#                       eth1 connected to your local network and that your
#                       local subnet is 192.168.1.0/24. The interface gets
#                       it's IP address via DHCP from subnet
#                       206.191.149.192/27. You have a DMZ with subnet
#                       192.168.2.0/24 using eth2.
#
#                       Your entries for this setup would look like:
#
#                       net     eth0    206.191.149.223 dhcp
#                       local   eth1    192.168.1.255
#                       dmz     eth2    192.168.2.255
#
#       Example 2:      The same configuration without specifying broadcast
#                       addresses is:
#
#                       net     eth0    detect          dhcp
#                       loc     eth1    detect

#                       dmz     eth2    detect
#
#       Example 3:      You have a simple dial-in system with no ethernet
#                       connections.
#
#                       net     ppp0    -
##############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
#
net     eth0            detect          dhcp,routefilter,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Code: Select all

# cat zones
#
# Shorewall 2.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#       ZONE            Short name of the zone (5 Characters or less in length).
#       DISPLAY         Display name of the zone
#       COMMENTS        Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
# Example zones:
#
#    You have a three interface firewall with internet, local and DMZ interfaces.
#
#       #ZONE   DISPLAY         COMMENTS
#       net     Internet        The big bad Internet
#       loc     Local           Local Network
#       dmz     DMZ             Demilitarized zone.
#
#ZONE                   DISPLAY         COMMENTS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

is the zones file something that's new with the new version of shorewall, or did i step on a config file during the upgrade?

Bob P · Post by **Bob P** » Thu Jun 23, 2005 8:07 pm

fwiw, this seems to fix the problem in a single-ended application:

Code: Select all

# cat /etc/shorewall/zones
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

<3 · Post by <3 » Fri Jun 24, 2005 12:40 am

Sith_Happens wrote:Thats your problem. If you are connected to the cable modem via your ethernet card, then your modem is also acting as a router. The portscan is reading the ports on your modem, not your computer. You can probably connect to the modem and configure it to block those ports, but you'll have to read the manual that came with your modem to determine that.

Hmmm I just took the same test on the same computer booted in Windows XP. Using ZoneAlarm I got a perfect score on the shields up test. All ports were reported in stealth mode. I have not made any changes to the cable modem since the last test. I think maybe I didn't set up shorewall correctly.

Sith_Happens · Post by **Sith_Happens** » Fri Jun 24, 2005 2:42 am

Bob P wrote:fwiw, this seems to fix the problem in a single-ended application:
Code: Select all
# cat /etc/shorewall/zones
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Yeah I'm aware of this problem:

Sith_Happens wrote:
wazoo42 wrote:Good tutorial. I ran into a little trouble b/c /etc/shorewall/zones has everything commented out in my version (2.2.4). After I edited it, as well as changing "STARTUP_ENABLED=No" to yes in /etc/shorewall/shorewall.conf everything was fine.
Yeah, this tutorial is written for the latest stable version (2.0.7). I'll keep an eye out for that when 2.2.4 becomes stable though, thanks.

I'm incorporating it into the updated guide. However, I'm working one job full time and training to be a campus bus driver (good job, great pay, great hours, not related to my major

) so don't expect too much too soon. However, this change in /etc/shorewall/zones seems to be the biggest change I've encountered so far thats relavent to the guide, so if everybody keeps this in mind, that should tide them over till I finish the guide.

<3 · Post by <3 » Fri Jun 24, 2005 3:41 am

OK once I re-read what shields up was saying, it was telling me that those ports were the only ones that were in stealth mode not that those were the only ports that were open. Here is an exact wuote of what the text summary gave me on:

Windows XP with Zone Alarm

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2005-06-24 at 03:28:12

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

Here is the same test done in Gentoo with shorewall

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2005-06-24 at 03:11:43

Results from scan of ports: 0-1055

0 Ports Open
1050 Ports Closed
6 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 135, 137, 138, 139, 445, 593

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

I really don't think it is the modem that is acting as a router else I would have the same problem in windows. Something is wrong with the way I setup shorewall and I can't figure out what it is.

I don't know if this is important but I do not have syslog-ng installed so I skipped the last part of the tutorial. I have metalog installed instead. This is what I get when I start shorewall:

Code: Select all

#/etc/init.d/shorewall start
 * Starting firewall ...
LOGFILE (/var/log/messages) does not exist!

Sith_Happens · Post by **Sith_Happens** » Fri Jun 24, 2005 12:02 pm

For the logging problem, you'll have to look at your metalog config file and see what file it logs to by default, then edit the LOGFILE variable in /etc/shorewall/shorewall.conf to point to that file:

Code: Select all

################################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
#          look for Shorewall messages.It does NOT control the destination for
#          these messages. For information about how to do that, see
#
#              http://www.shorewall.net/shorewall_logging.html

LOGFILE=/var/log/messages

As far as your other problem, could you post your /etc/shorewall/zones file, as well as the version of shorewall that you are using?

<3 · Post by <3 » Fri Jun 24, 2005 1:11 pm

Again thank you for helping me with this.

Here is my /etc/shorewall/zones file

#
# Shorewall 2.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

I don't ever remeber editing this file. Was I supposed to add something here?

and here are the version numbers:
net-firewall/iptables-1.2.11-r3
sys-apps/iproute2-2.6.10.20050112-r1
net-firewall/shorewall-2.2.0_rc5

cubchai · Post by **cubchai** » Fri Jun 24, 2005 5:26 pm

Starting firewall ...
Error: No Zones Defined
/etc/init.d/shorewall: line 13: 11530 Terminated /sbin/shorewall start >/dev/null

can anyone tell me what's happening? after following the guide, do i need to edit shorewall.conf?

Bob P · Post by **Bob P** » Fri Jun 24, 2005 9:05 pm

cubchai wrote:
Starting firewall ...
Error: No Zones Defined
/etc/init.d/shorewall: line 13: 11530 Terminated /sbin/shorewall start >/dev/null

can anyone tell me what's happening? after following the guide, do i need to edit shorewall.conf?

scroll up 7 or 8 messages on this page and you'll see that this question has already been asked and answered.

cubchai · Post by **cubchai** » Fri Jun 24, 2005 9:32 pm

Bob P wrote:
cubchai wrote:
Starting firewall ...
Error: No Zones Defined
/etc/init.d/shorewall: line 13: 11530 Terminated /sbin/shorewall start >/dev/null

can anyone tell me what's happening? after following the guide, do i need to edit shorewall.conf?
scroll up 7 or 8 messages on this page and you'll see that this question has already been asked and answered.

thank you. but do i need to edit shorewall.conf?

southpaw · Post by **southpaw** » Sat Jun 25, 2005 9:03 pm

Hey sith,
I'm still a little green when it comes to troubleshooting certain things under linux, but I was hoping you might be able to point me the right direction. When I "emerge shorewall", everything looks fine until the end of the process, I get this...

Code: Select all

 >>> Regenerating /etc/ld.so.cache...
 * Caching service dependencies ...
 *  Service 'firestarter' already provided by 'firewall'!;
 *  Not adding service 'shorewall'...                                    [ ok ]
>>> net-firewall/shorewall-2.2.3 merged.

...now I've already unmerged firestarter, I never use it anyway, but I don't understand if I unmerged this package why is the "service still being provided"

??? Unfortunately, I'm still accustomed to the "Windows Way" of doing things, such as delete & empty the recycle bin, I'm still getting used to the portage language. Oh btw, I know I probably should have posted this in "Portage and Programming", but I figured since I was dealing with installing and setting up "Shorewall", than I should probably address you first

...
...Any help is always appreciated, thanx in advance

<3 · Post by <3 » Mon Jun 27, 2005 3:45 am

So I guess no one knows what is wrong with my shorewall install =/

Sith_Happens · Post by **Sith_Happens** » Mon Jun 27, 2005 11:01 am

<3 wrote:So I guess no one knows what is wrong with my shorewall install =/

Make the end of your /etc/shorewall/zones file look like this and see if that fixes the problem:

Code: Select all

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

<3 · Post by <3 » Mon Jun 27, 2005 12:58 pm

That didn't work =/.

I don't know if this is any help but I get this message when I type "shorewall status". I have no idea what this means but the output seems to be telling me something is wrong. I am sure I compiled everything in the kernel that you specified and I emerged iptables, iproute2, and shorewall without any error messages.

Code: Select all

# shorewall status
Shorewall-2.2.0-RC5 Status at ramb00000000000 - Mon Jun 27 07:55:55 CDT 2005

iptables v1.2.11: can't initialize iptables table `filter': Table does not exist
Perhaps iptables or your kernel needs to be upgraded.


NAT Table

iptables v1.2.11: can't initialize iptables table `nat': Table does not exist (d
Perhaps iptables or your kernel needs to be upgraded.

Mangle Table

iptables v1.2.11: can't initialize iptables table `mangle': Table does not exist
Perhaps iptables or your kernel needs to be upgraded.

//<Some other stuff I left out>

Routing Rules

RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated

Modules

LaoTzuTao · Post by **LaoTzuTao** » Thu Jun 30, 2005 3:42 pm

Well I just have a simple question (great tutorial btw

) I can't seem to ping anything anymore...I get

PING gentoo.org (204.74.99.100) 56(84) bytes of data.
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
From xx.xx.xx.xx icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted

--- gentoo.org ping statistics ---
1 packets transmitted, 0 received, +6 errors, 100% packet loss, time 325ms

I assume this is normal, but if I wanted to be able to ping someone/allow myself to be pinged, what would I have to add to rules.conf?

ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21 #ftp
ACCEPT fw net tcp 53 #DNS
ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 5190 #AIM/ICQ
DROP net fw tcp 113 #AUTH/IDENT, I added this to show how to block a port

I tried adding ACCEPT fw net icmp but left port blank, but then ping returned nothing and just sat there.

Thanks!

kcy29581 · Post by **kcy29581** » Sat Jul 02, 2005 2:48 pm

Hi all,

I followed your guide Sith_Happens, but I cant ping anything and cant connect to any webpages, basically useless my pc has become.

Here are the files I changed according to the guide:

/etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net all DROP info
#
# THE FOLLOWING POLICY MUCT BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT fw net tcp 80
ACCEPT fw net udp 80
ACCEPT fw net tcp 443
ACCEPT fw net udp 443
ACCEPT fw net tcp 21
ACCEPT fw net tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I connect to the net via a Linksys WAG54G ADSL Modem/Router. I have my pc using a static IP, but my ISP provides me with a dynamic one to connect to the net (basically I have created a home network via the Router but assigned 192.168.1.xxx type IP's to my pc's)

Any help? Anything else you need from me? It's like the rules aren't obeyed...

Oh and my system is fully ~x86 and the installed shorewall version is 2.4.0 and iptables version is 1.3.1-r4

Thanks

EDIT!!! : I think you can ignore the above post as I just realised that I forgot to include the DNS ports in the rules... Now I can connect to Google and the forums with the firewall on! Sorry...

Fenster · Post by **Fenster** » Mon Jul 18, 2005 11:55 pm

Hmm. I've had a lot of problems with Shorewall recently, I'm setting it up on my laptop right now and I get the following message with shorewall start:

Code: Select all

tehpwn root # shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Not available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
Determining Zones...
   Zones: net loc
Validating interfaces file...
   Error: Invalid zone (b) in record "b   "
Terminated

Bob P · Post by **Bob P** » Mon Jul 25, 2005 8:42 am

now this is wierd. i've had shorewall up and running for months. i've kept an eye on glsa-check, and i saw the shorewall security problem, so i "upgraded" shorewall on my boxes -- that was a mistake! now I'm getting the dreaded [ !! ] when trying to start shorewall. it looks like the "updates" are b0rked.

has anyone else encountered this problem? i've got it on several boxes following the emerge of the new ebuild.

Hack_Benjamin · Post by **Hack_Benjamin** » Mon Jul 25, 2005 4:07 pm

i had all of the modules selected as * in kernel 2.6.12r6 (and rebooted after recompiling the kernel) and since emerge iptables and iproute2, when i try /etc/init.d/shorewall start i get this:

Code: Select all

 disdain linux # /etc/init.d/shorewall start
 * Starting firewall ...
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
   Error: Invalid Action in rule "USER/"
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.2.11: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/etc/init.d/shorewall: line 14: 28630 Terminated              /sbin/shorewall start >/dev/null

now, im pretty damn sure im not using ipv6. i have tried it with and without them selected in the kernel and it still keeps doing it.

Whats wrong with it?

southpaw · Post by **southpaw** » Tue Jul 26, 2005 8:47 pm

Hey Bob,
I'm not sure if this is the same thing, but I recently updated shorewall and I have been getting this upon boot-up:

Code: Select all

firewall                                                                                   [!!]

Any ideas???