1 |
On Thu, 26 Aug 2004 08:34:06 +0200 |
2 |
Sven Brockshus <Sven@×××××××××.de> wrote: |
3 |
|
4 |
> hallo erstmal, |
5 |
> nachdem ich meine workstation von suse auf gentoo umgestellt hab und super |
6 |
> zufrieden bin, ist jetzt der server dran. klappt auch alles super. nur die |
7 |
> firewall kann ich nicht zum laufen bringen. die firewall soll n paar dienste |
8 |
> nach aussen frei geben und das lan ins internet maskieren. nachdem ich 2 tage |
9 |
> lang gegoogelt und auf www.shorewall.net verbracht hab sieht es so aus, als |
10 |
> ob etwas im kernel fehlt. |
11 |
|
12 |
Ja, scheint als ob was fehlt. Hast du folgendes als Modul kompiliert? |
13 |
|
14 |
Device Drivers ---> |
15 |
Networking Support ---> |
16 |
Networking Options ---> |
17 |
[*] Network packet filtering (replaces ipchains) ---> |
18 |
IP: Netfilter Configuration ---> |
19 |
<M> Connection tracking (required for masq/NAT) |
20 |
<M> FTP protocol support |
21 |
<M> IRC protocol support |
22 |
<M> TFTP protocol support |
23 |
< > Amanda backup protocol support |
24 |
< > Userspace queueing via NETLINK |
25 |
<M> IP tables support (required for filtering/masq/NAT) |
26 |
<M> limit match support |
27 |
<M> IP range match support |
28 |
<M> MAC address match support |
29 |
<M> Packet type match support |
30 |
<M> netfilter MARK match support |
31 |
<M> Multiple port match support |
32 |
< > TOS match support |
33 |
< > recent match support |
34 |
< > ECN match support |
35 |
< > DSCP match support |
36 |
< > AH/ESP match support |
37 |
< > LENGTH match support |
38 |
< > TTL match support |
39 |
< > tcpmss match support |
40 |
< > Helper match support |
41 |
<M> Connection state match support |
42 |
<M> Connection tracking match support |
43 |
<M> Owner match support |
44 |
<M> Packet filtering |
45 |
<M> REJECT target support |
46 |
<M> Full NAT |
47 |
<M> MASQUERADE target support |
48 |
<M> REDIRECT target support |
49 |
< > NETMAP target support |
50 |
< > SAME target support |
51 |
[ ] NAT of local connections (READ HELP) |
52 |
< > Basic SNMP-ALG support (EXPERIMENTAL) |
53 |
<M> Packet mangling |
54 |
<M> TOS target support |
55 |
< > ECN target support |
56 |
< > DSCP target support |
57 |
< > MARK target support |
58 |
< > CLASSIFY target support |
59 |
<M> LOG target support |
60 |
< > ULOG target support |
61 |
< > TCPMSS target support |
62 |
<M> ARP tables support |
63 |
<M> ARP packet filtering |
64 |
< > ARP payload mangling |
65 |
< > ipchains (2.2-style) support |
66 |
< > ipfwadm (2.0-style) support |
67 |
< > raw table support (required for NOTRACK/TRACE) |
68 |
|
69 |
Es kann sein, dass das eine oder andere Modul zu viel ist, aber so funktioniert es bei mir. |
70 |
|
71 |
Grüße - Rob |
72 |
|
73 |
|
74 |
>ich hab aber schon alles einkompilliert und als |
75 |
> modul gebaut, was irgentwie mit netzwerk zu tun hat und auch schon |
76 |
> die .config datei nach dem beispiel auf www.shorewall.net verändert. immer |
77 |
> die gleiche fehlermeldung. vielleicht hat ja jemand von euch ne idee - ich |
78 |
> weiß nicht mehr weiter. |
79 |
> |
80 |
> so, butter bei die fische: |
81 |
> |
82 |
> versionen: |
83 |
> kernel: |
84 |
> 2.6.8-gentoo-r1 |
85 |
> |
86 |
> iptables: |
87 |
> v1.2.11 |
88 |
> |
89 |
> shorewall: |
90 |
> 2.0.4 |
91 |
> |
92 |
> startmeldung: |
93 |
> Loading /usr/share/shorewall/functions... |
94 |
> Processing /etc/shorewall/params ... |
95 |
> Processing /etc/shorewall/shorewall.conf... |
96 |
> Loading Modules... |
97 |
> Starting Shorewall... |
98 |
> Initializing... |
99 |
> Shorewall has detected the following iptables/netfilter capabilities: |
100 |
> NAT: Not available |
101 |
> Packet Mangling: Not available |
102 |
> Multi-port Match: Available |
103 |
> Connection Tracking Match: Not available |
104 |
> Determining Zones... |
105 |
> Zones: net loc |
106 |
> Validating interfaces file... |
107 |
> Validating hosts file... |
108 |
> Validating Policy file... |
109 |
> Determining Hosts in Zones... |
110 |
> Net Zone: ppp0:0.0.0.0/0 |
111 |
> Local Zone: eth1:0.0.0.0/0 |
112 |
> Processing /etc/shorewall/init ... |
113 |
> Deleting user chains... |
114 |
> iptables: No chain/target/match by that name |
115 |
> Processing /etc/shorewall/stop ... |
116 |
> iptables: No chain/target/match by that name |
117 |
> iptables: No chain/target/match by that name |
118 |
> IP Forwarding Enabled |
119 |
> Processing /etc/shorewall/stopped ... |
120 |
> Terminated |
121 |
> |
122 |
> meine interfaces: |
123 |
> net ppp0 - routefilter,norfc1918,tcpflags |
124 |
> loc eth1 detect tcpflags |
125 |
> |
126 |
> policy: |
127 |
> loc net ACCEPT |
128 |
> loc fw ACCEPT |
129 |
> fw net ACCEPT |
130 |
> net all DROP info |
131 |
> all all REJECT info |
132 |
> |
133 |
> rules: |
134 |
> ACCEPT net fw tcp 80 |
135 |
> ACCEPT net fw udp 80 |
136 |
> ACCEPT net fw tcp 20 |
137 |
> ACCEPT net fw tcp 21 |
138 |
> ACCEPT net fw tcp 22 |
139 |
> ACCEPT net fw udp 22 |
140 |
> |
141 |
> zones: |
142 |
> net Net Internet |
143 |
> loc Local Local Networks |
144 |
> |
145 |
> .config-auszug (kommt so von www.shorewall.net): |
146 |
> # |
147 |
> # Networking options |
148 |
> # |
149 |
> CONFIG_PACKET=y |
150 |
> # CONFIG_PACKET_MMAP is not set |
151 |
> # CONFIG_NETLINK_DEV is not set |
152 |
> CONFIG_NETFILTER=y |
153 |
> # CONFIG_NETFILTER_DEBUG is not set |
154 |
> CONFIG_FILTER=y |
155 |
> CONFIG_UNIX=y |
156 |
> CONFIG_INET=y |
157 |
> CONFIG_IP_MULTICAST=y |
158 |
> CONFIG_IP_ADVANCED_ROUTER=y |
159 |
> CONFIG_IP_MULTIPLE_TABLES=y |
160 |
> CONFIG_IP_ROUTE_FWMARK=y |
161 |
> CONFIG_IP_ROUTE_NAT=y |
162 |
> CONFIG_IP_ROUTE_MULTIPATH=y |
163 |
> CONFIG_IP_ROUTE_TOS=y |
164 |
> CONFIG_IP_ROUTE_VERBOSE=y |
165 |
> # CONFIG_IP_ROUTE_LARGE_TABLES is not set |
166 |
> # CONFIG_IP_PNP is not set |
167 |
> CONFIG_NET_IPIP=y |
168 |
> CONFIG_NET_IPGRE=y |
169 |
> # CONFIG_NET_IPGRE_BROADCAST is not set |
170 |
> # CONFIG_IP_MROUTE is not set |
171 |
> # CONFIG_ARPD is not set |
172 |
> CONFIG_INET_ECN=y |
173 |
> CONFIG_SYN_COOKIES=y |
174 |
> |
175 |
> # |
176 |
> # IP: Netfilter Configuration |
177 |
> # |
178 |
> CONFIG_IP_NF_CONNTRACK=m |
179 |
> CONFIG_IP_NF_FTP=m |
180 |
> CONFIG_IP_NF_AMANDA=m |
181 |
> CONFIG_IP_NF_TFTP=m |
182 |
> # CONFIG_IP_NF_IRC is not set |
183 |
> # CONFIG_IP_NF_QUEUE is not set |
184 |
> CONFIG_IP_NF_IPTABLES=m |
185 |
> CONFIG_IP_NF_MATCH_LIMIT=m |
186 |
> CONFIG_IP_NF_MATCH_MAC=m |
187 |
> CONFIG_IP_NF_MATCH_PKTTYPE=m |
188 |
> CONFIG_IP_NF_MATCH_MARK=m |
189 |
> CONFIG_IP_NF_MATCH_MULTIPORT=m |
190 |
> CONFIG_IP_NF_MATCH_TOS=m |
191 |
> CONFIG_IP_NF_MATCH_ECN=m |
192 |
> CONFIG_IP_NF_MATCH_DSCP=m |
193 |
> CONFIG_IP_NF_MATCH_AH_ESP=m |
194 |
> CONFIG_IP_NF_MATCH_LENGTH=m |
195 |
> # CONFIG_IP_NF_MATCH_TTL is not set |
196 |
> CONFIG_IP_NF_MATCH_TCPMSS=m |
197 |
> CONFIG_IP_NF_MATCH_HELPER=m |
198 |
> CONFIG_IP_NF_MATCH_STATE=m |
199 |
> CONFIG_IP_NF_MATCH_CONNTRACK=m |
200 |
> CONFIG_IP_NF_MATCH_UNCLEAN=m |
201 |
> # CONFIG_IP_NF_MATCH_OWNER is not set |
202 |
> CONFIG_IP_NF_FILTER=m |
203 |
> CONFIG_IP_NF_TARGET_REJECT=m |
204 |
> # CONFIG_IP_NF_TARGET_MIRROR is not set |
205 |
> CONFIG_IP_NF_NAT=m |
206 |
> CONFIG_IP_NF_NAT_NEEDED=y |
207 |
> CONFIG_IP_NF_TARGET_MASQUERADE=m |
208 |
> CONFIG_IP_NF_TARGET_REDIRECT=m |
209 |
> CONFIG_IP_NF_NAT_AMANDA=m |
210 |
> CONFIG_IP_NF_NAT_LOCAL=y |
211 |
> # CONFIG_IP_NF_NAT_SNMP_BASIC is not set |
212 |
> CONFIG_IP_NF_NAT_FTP=m |
213 |
> CONFIG_IP_NF_NAT_TFTP=m |
214 |
> CONFIG_IP_NF_MANGLE=m |
215 |
> CONFIG_IP_NF_TARGET_TOS=m |
216 |
> CONFIG_IP_NF_TARGET_ECN=m |
217 |
> CONFIG_IP_NF_TARGET_DSCP=m |
218 |
> CONFIG_IP_NF_TARGET_MARK=m |
219 |
> CONFIG_IP_NF_TARGET_LOG=m |
220 |
> CONFIG_IP_NF_TARGET_ULOG=m |
221 |
> CONFIG_IP_NF_TARGET_TCPMSS=m |
222 |
> CONFIG_IP_NF_ARPTABLES=m |
223 |
> CONFIG_IP_NF_ARPFILTER=m |
224 |
> # CONFIG_IP_NF_COMPAT_IPCHAINS is not set |
225 |
> # CONFIG_IP_NF_COMPAT_IPFWADM is not set |
226 |
> |
227 |
> vielen dank schon mal, |
228 |
> |
229 |
> svenna |
230 |
> |
231 |
> |
232 |
> -- |
233 |
> gentoo-user-de@g.o mailing list |
234 |
> |
235 |
|
236 |
-- |
237 |
gentoo-user-de@g.o mailing list |