Re: [gentoo-user-de] mein leben ist zur kurz für shorewall - gentoo-user-de

From:	Robert Ullrich <roul76@×××.de>
To:	"gentoo-user-de@l.g.o" <gentoo-user-de@l.g.o>
Subject:	Re: [gentoo-user-de] mein leben ist zur kurz für shorewall
Date:	Thu, 26 Aug 2004 06:52:54
Message-Id:	`20040826085241.75be0d72@springfield`
In Reply to:	[gentoo-user-de] mein leben ist zur kurz für shorewall by Sven Brockshus

1

On Thu, 26 Aug 2004 08:34:06 +0200

2

Sven Brockshus <Sven@×××××××××.de> wrote:

3

4

> hallo erstmal,

5

> nachdem ich meine workstation von suse auf gentoo umgestellt hab und super

6

> zufrieden bin, ist jetzt der server dran. klappt auch alles super. nur die

7

> firewall kann ich nicht zum laufen bringen. die firewall soll n paar dienste

8

> nach aussen frei geben und das lan ins internet maskieren. nachdem ich 2 tage

9

> lang gegoogelt und auf www.shorewall.net verbracht hab sieht es so aus, als

10

> ob etwas im kernel fehlt.

11

12

Ja, scheint als ob was fehlt. Hast du folgendes als Modul kompiliert?

13

14

Device Drivers  --->

15

  Networking Support  --->

16

    Networking Options  --->

17

      [*] Network packet filtering (replaces ipchains)  --->

18

        IP: Netfilter Configuration  --->

19

         <M> Connection tracking (required for masq/NAT)

20

         <M>   FTP protocol support

21

         <M>   IRC protocol support

22

         <M>   TFTP protocol support

23

         < >   Amanda backup protocol support

24

         < > Userspace queueing via NETLINK

25

         <M> IP tables support (required for filtering/masq/NAT)

26

         <M>   limit match support

27

         <M>   IP range match support

28

         <M>   MAC address match support

29

         <M>   Packet type match support

30

         <M>   netfilter MARK match support

31

         <M>   Multiple port match support

32

         < >   TOS match support

33

         < >   recent match support

34

         < >   ECN match support

35

         < >   DSCP match support

36

         < >   AH/ESP match support

37

         < >   LENGTH match support

38

         < >   TTL match support

39

         < >   tcpmss match support

40

         < >   Helper match support

41

         <M>   Connection state match support

42

         <M>   Connection tracking match support

43

         <M>   Owner match support

44

         <M>   Packet filtering

45

         <M>     REJECT target support

46

         <M>   Full NAT

47

         <M> MASQUERADE target support

48

         <M> REDIRECT target support

49

         < > NETMAP target support

50

         < > SAME target support

51

         [ ] NAT of local connections (READ HELP)

52

         < > Basic SNMP-ALG support (EXPERIMENTAL)

53

         <M> Packet mangling

54

         <M>   TOS target support

55

         < >   ECN target support

56

         < >   DSCP target support

57

         < >   MARK target support

58

         < >   CLASSIFY target support

59

         <M> LOG target support

60

         < > ULOG target support

61

         < > TCPMSS target support

62

         <M> ARP tables support

63

         <M>   ARP packet filtering

64

         < >   ARP payload mangling

65

         < > ipchains (2.2-style) support

66

         < >   ipfwadm (2.0-style) support

67

         < > raw table support (required for NOTRACK/TRACE)

68

69

Es kann sein, dass das eine oder andere Modul zu viel ist, aber so funktioniert es bei mir.

70

71

Grüße - Rob

72

73

74

>ich hab aber schon alles einkompilliert und als

75

> modul gebaut, was irgentwie mit netzwerk zu tun hat und auch schon

76

> die .config datei nach dem beispiel auf www.shorewall.net verändert. immer

77

> die gleiche fehlermeldung. vielleicht hat ja jemand von euch ne idee - ich

78

> weiß nicht mehr weiter.

79

>

80

> so, butter bei die fische:

81

>

82

> versionen:

83

> kernel:

84

> 2.6.8-gentoo-r1

85

>

86

> iptables:

87

> v1.2.11

88

>

89

> shorewall:

90

> 2.0.4

91

>

92

> startmeldung:

93

> Loading /usr/share/shorewall/functions...

94

> Processing /etc/shorewall/params ...

95

> Processing /etc/shorewall/shorewall.conf...

96

> Loading Modules...

97

> Starting Shorewall...

98

> Initializing...

99

> Shorewall has detected the following iptables/netfilter capabilities:

100

>    NAT: Not available

101

>    Packet Mangling: Not available

102

>    Multi-port Match: Available

103

>    Connection Tracking Match: Not available

104

> Determining Zones...

105

>    Zones: net loc

106

> Validating interfaces file...

107

> Validating hosts file...

108

> Validating Policy file...

109

> Determining Hosts in Zones...

110

>    Net Zone: ppp0:0.0.0.0/0

111

>    Local Zone: eth1:0.0.0.0/0

112

> Processing /etc/shorewall/init ...

113

> Deleting user chains...

114

> iptables: No chain/target/match by that name

115

> Processing /etc/shorewall/stop ...

116

> iptables: No chain/target/match by that name

117

> iptables: No chain/target/match by that name

118

> IP Forwarding Enabled

119

> Processing /etc/shorewall/stopped ...

120

> Terminated

121

>

122

> meine interfaces:

123

> net     ppp0            -               routefilter,norfc1918,tcpflags

124

> loc     eth1            detect          tcpflags

125

>

126

> policy:

127

> loc             net             ACCEPT

128

> loc             fw              ACCEPT

129

> fw              net             ACCEPT

130

> net             all             DROP            info

131

> all             all             REJECT          info

132

>

133

> rules:

134

> ACCEPT          net             fw              tcp     80

135

> ACCEPT          net             fw              udp     80

136

> ACCEPT          net             fw              tcp     20

137

> ACCEPT          net             fw              tcp     21

138

> ACCEPT          net             fw              tcp     22

139

> ACCEPT          net             fw              udp     22

140

>

141

> zones:

142

> net     Net             Internet

143

> loc     Local           Local Networks

144

>

145

> .config-auszug (kommt so von www.shorewall.net):

146

> #

147

>  # Networking options

148

>  #

149

>  CONFIG_PACKET=y

150

>  # CONFIG_PACKET_MMAP is not set

151

>  # CONFIG_NETLINK_DEV is not set

152

>  CONFIG_NETFILTER=y

153

>  # CONFIG_NETFILTER_DEBUG is not set

154

>  CONFIG_FILTER=y

155

>  CONFIG_UNIX=y

156

>  CONFIG_INET=y

157

>  CONFIG_IP_MULTICAST=y

158

>  CONFIG_IP_ADVANCED_ROUTER=y

159

>  CONFIG_IP_MULTIPLE_TABLES=y

160

>  CONFIG_IP_ROUTE_FWMARK=y

161

>  CONFIG_IP_ROUTE_NAT=y

162

>  CONFIG_IP_ROUTE_MULTIPATH=y

163

>  CONFIG_IP_ROUTE_TOS=y

164

>  CONFIG_IP_ROUTE_VERBOSE=y

165

>  # CONFIG_IP_ROUTE_LARGE_TABLES is not set

166

>  # CONFIG_IP_PNP is not set

167

>  CONFIG_NET_IPIP=y

168

>  CONFIG_NET_IPGRE=y

169

>  # CONFIG_NET_IPGRE_BROADCAST is not set

170

>  # CONFIG_IP_MROUTE is not set

171

>  # CONFIG_ARPD is not set

172

>  CONFIG_INET_ECN=y

173

>  CONFIG_SYN_COOKIES=y

174

>

175

> #

176

> #   IP: Netfilter Configuration

177

> #

178

> CONFIG_IP_NF_CONNTRACK=m

179

> CONFIG_IP_NF_FTP=m

180

> CONFIG_IP_NF_AMANDA=m

181

> CONFIG_IP_NF_TFTP=m

182

> # CONFIG_IP_NF_IRC is not set

183

> # CONFIG_IP_NF_QUEUE is not set

184

> CONFIG_IP_NF_IPTABLES=m

185

> CONFIG_IP_NF_MATCH_LIMIT=m

186

> CONFIG_IP_NF_MATCH_MAC=m

187

> CONFIG_IP_NF_MATCH_PKTTYPE=m

188

> CONFIG_IP_NF_MATCH_MARK=m

189

> CONFIG_IP_NF_MATCH_MULTIPORT=m

190

> CONFIG_IP_NF_MATCH_TOS=m

191

> CONFIG_IP_NF_MATCH_ECN=m

192

> CONFIG_IP_NF_MATCH_DSCP=m

193

> CONFIG_IP_NF_MATCH_AH_ESP=m

194

> CONFIG_IP_NF_MATCH_LENGTH=m

195

> # CONFIG_IP_NF_MATCH_TTL is not set

196

> CONFIG_IP_NF_MATCH_TCPMSS=m

197

> CONFIG_IP_NF_MATCH_HELPER=m

198

> CONFIG_IP_NF_MATCH_STATE=m

199

> CONFIG_IP_NF_MATCH_CONNTRACK=m

200

> CONFIG_IP_NF_MATCH_UNCLEAN=m

201

> # CONFIG_IP_NF_MATCH_OWNER is not set

202

> CONFIG_IP_NF_FILTER=m

203

> CONFIG_IP_NF_TARGET_REJECT=m

204

> # CONFIG_IP_NF_TARGET_MIRROR is not set

205

> CONFIG_IP_NF_NAT=m

206

> CONFIG_IP_NF_NAT_NEEDED=y

207

> CONFIG_IP_NF_TARGET_MASQUERADE=m

208

> CONFIG_IP_NF_TARGET_REDIRECT=m

209

> CONFIG_IP_NF_NAT_AMANDA=m

210

> CONFIG_IP_NF_NAT_LOCAL=y

211

> # CONFIG_IP_NF_NAT_SNMP_BASIC is not set

212

> CONFIG_IP_NF_NAT_FTP=m

213

> CONFIG_IP_NF_NAT_TFTP=m

214

> CONFIG_IP_NF_MANGLE=m

215

> CONFIG_IP_NF_TARGET_TOS=m

216

> CONFIG_IP_NF_TARGET_ECN=m

217

> CONFIG_IP_NF_TARGET_DSCP=m

218

> CONFIG_IP_NF_TARGET_MARK=m

219

> CONFIG_IP_NF_TARGET_LOG=m

220

> CONFIG_IP_NF_TARGET_ULOG=m

221

> CONFIG_IP_NF_TARGET_TCPMSS=m

222

> CONFIG_IP_NF_ARPTABLES=m

223

> CONFIG_IP_NF_ARPFILTER=m

224

> # CONFIG_IP_NF_COMPAT_IPCHAINS is not set

225

> # CONFIG_IP_NF_COMPAT_IPFWADM is not set

226

>

227

> vielen dank schon mal,

228

>

229

> svenna

230

>

231

>

232

> --

233

> gentoo-user-de@g.o mailing list

234

>

235

236

--

237

gentoo-user-de@g.o mailing list

Gentoo Archives: gentoo-user-de

Replies

1	On Thu, 26 Aug 2004 08:34:06 +0200
2	Sven Brockshus <Sven@×××××××××.de> wrote:
3
4	> hallo erstmal,
5	> nachdem ich meine workstation von suse auf gentoo umgestellt hab und super
6	> zufrieden bin, ist jetzt der server dran. klappt auch alles super. nur die
7	> firewall kann ich nicht zum laufen bringen. die firewall soll n paar dienste
8	> nach aussen frei geben und das lan ins internet maskieren. nachdem ich 2 tage
9	> lang gegoogelt und auf www.shorewall.net verbracht hab sieht es so aus, als
10	> ob etwas im kernel fehlt.
11
12	Ja, scheint als ob was fehlt. Hast du folgendes als Modul kompiliert?
13
14	Device Drivers --->
15	Networking Support --->
16	Networking Options --->
17	[*] Network packet filtering (replaces ipchains) --->
18	IP: Netfilter Configuration --->
19	<M> Connection tracking (required for masq/NAT)
20	<M> FTP protocol support
21	<M> IRC protocol support
22	<M> TFTP protocol support
23	< > Amanda backup protocol support
24	< > Userspace queueing via NETLINK
25	<M> IP tables support (required for filtering/masq/NAT)
26	<M> limit match support
27	<M> IP range match support
28	<M> MAC address match support
29	<M> Packet type match support
30	<M> netfilter MARK match support
31	<M> Multiple port match support
32	< > TOS match support
33	< > recent match support
34	< > ECN match support
35	< > DSCP match support
36	< > AH/ESP match support
37	< > LENGTH match support
38	< > TTL match support
39	< > tcpmss match support
40	< > Helper match support
41	<M> Connection state match support
42	<M> Connection tracking match support
43	<M> Owner match support
44	<M> Packet filtering
45	<M> REJECT target support
46	<M> Full NAT
47	<M> MASQUERADE target support
48	<M> REDIRECT target support
49	< > NETMAP target support
50	< > SAME target support
51	[ ] NAT of local connections (READ HELP)
52	< > Basic SNMP-ALG support (EXPERIMENTAL)
53	<M> Packet mangling
54	<M> TOS target support
55	< > ECN target support
56	< > DSCP target support
57	< > MARK target support
58	< > CLASSIFY target support
59	<M> LOG target support
60	< > ULOG target support
61	< > TCPMSS target support
62	<M> ARP tables support
63	<M> ARP packet filtering
64	< > ARP payload mangling
65	< > ipchains (2.2-style) support
66	< > ipfwadm (2.0-style) support
67	< > raw table support (required for NOTRACK/TRACE)
68
69	Es kann sein, dass das eine oder andere Modul zu viel ist, aber so funktioniert es bei mir.
70
71	Grüße - Rob
72
73
74	>ich hab aber schon alles einkompilliert und als
75	> modul gebaut, was irgentwie mit netzwerk zu tun hat und auch schon
76	> die .config datei nach dem beispiel auf www.shorewall.net verändert. immer
77	> die gleiche fehlermeldung. vielleicht hat ja jemand von euch ne idee - ich
78	> weiß nicht mehr weiter.
79	>
80	> so, butter bei die fische:
81	>
82	> versionen:
83	> kernel:
84	> 2.6.8-gentoo-r1
85	>
86	> iptables:
87	> v1.2.11
88	>
89	> shorewall:
90	> 2.0.4
91	>
92	> startmeldung:
93	> Loading /usr/share/shorewall/functions...
94	> Processing /etc/shorewall/params ...
95	> Processing /etc/shorewall/shorewall.conf...
96	> Loading Modules...
97	> Starting Shorewall...
98	> Initializing...
99	> Shorewall has detected the following iptables/netfilter capabilities:
100	> NAT: Not available
101	> Packet Mangling: Not available
102	> Multi-port Match: Available
103	> Connection Tracking Match: Not available
104	> Determining Zones...
105	> Zones: net loc
106	> Validating interfaces file...
107	> Validating hosts file...
108	> Validating Policy file...
109	> Determining Hosts in Zones...
110	> Net Zone: ppp0:0.0.0.0/0
111	> Local Zone: eth1:0.0.0.0/0
112	> Processing /etc/shorewall/init ...
113	> Deleting user chains...
114	> iptables: No chain/target/match by that name
115	> Processing /etc/shorewall/stop ...
116	> iptables: No chain/target/match by that name
117	> iptables: No chain/target/match by that name
118	> IP Forwarding Enabled
119	> Processing /etc/shorewall/stopped ...
120	> Terminated
121	>
122	> meine interfaces:
123	> net ppp0 - routefilter,norfc1918,tcpflags
124	> loc eth1 detect tcpflags
125	>
126	> policy:
127	> loc net ACCEPT
128	> loc fw ACCEPT
129	> fw net ACCEPT
130	> net all DROP info
131	> all all REJECT info
132	>
133	> rules:
134	> ACCEPT net fw tcp 80
135	> ACCEPT net fw udp 80
136	> ACCEPT net fw tcp 20
137	> ACCEPT net fw tcp 21
138	> ACCEPT net fw tcp 22
139	> ACCEPT net fw udp 22
140	>
141	> zones:
142	> net Net Internet
143	> loc Local Local Networks
144	>
145	> .config-auszug (kommt so von www.shorewall.net):
146	> #
147	> # Networking options
148	> #
149	> CONFIG_PACKET=y
150	> # CONFIG_PACKET_MMAP is not set
151	> # CONFIG_NETLINK_DEV is not set
152	> CONFIG_NETFILTER=y
153	> # CONFIG_NETFILTER_DEBUG is not set
154	> CONFIG_FILTER=y
155	> CONFIG_UNIX=y
156	> CONFIG_INET=y
157	> CONFIG_IP_MULTICAST=y
158	> CONFIG_IP_ADVANCED_ROUTER=y
159	> CONFIG_IP_MULTIPLE_TABLES=y
160	> CONFIG_IP_ROUTE_FWMARK=y
161	> CONFIG_IP_ROUTE_NAT=y
162	> CONFIG_IP_ROUTE_MULTIPATH=y
163	> CONFIG_IP_ROUTE_TOS=y
164	> CONFIG_IP_ROUTE_VERBOSE=y
165	> # CONFIG_IP_ROUTE_LARGE_TABLES is not set
166	> # CONFIG_IP_PNP is not set
167	> CONFIG_NET_IPIP=y
168	> CONFIG_NET_IPGRE=y
169	> # CONFIG_NET_IPGRE_BROADCAST is not set
170	> # CONFIG_IP_MROUTE is not set
171	> # CONFIG_ARPD is not set
172	> CONFIG_INET_ECN=y
173	> CONFIG_SYN_COOKIES=y
174	>
175	> #
176	> # IP: Netfilter Configuration
177	> #
178	> CONFIG_IP_NF_CONNTRACK=m
179	> CONFIG_IP_NF_FTP=m
180	> CONFIG_IP_NF_AMANDA=m
181	> CONFIG_IP_NF_TFTP=m
182	> # CONFIG_IP_NF_IRC is not set
183	> # CONFIG_IP_NF_QUEUE is not set
184	> CONFIG_IP_NF_IPTABLES=m
185	> CONFIG_IP_NF_MATCH_LIMIT=m
186	> CONFIG_IP_NF_MATCH_MAC=m
187	> CONFIG_IP_NF_MATCH_PKTTYPE=m
188	> CONFIG_IP_NF_MATCH_MARK=m
189	> CONFIG_IP_NF_MATCH_MULTIPORT=m
190	> CONFIG_IP_NF_MATCH_TOS=m
191	> CONFIG_IP_NF_MATCH_ECN=m
192	> CONFIG_IP_NF_MATCH_DSCP=m
193	> CONFIG_IP_NF_MATCH_AH_ESP=m
194	> CONFIG_IP_NF_MATCH_LENGTH=m
195	> # CONFIG_IP_NF_MATCH_TTL is not set
196	> CONFIG_IP_NF_MATCH_TCPMSS=m
197	> CONFIG_IP_NF_MATCH_HELPER=m
198	> CONFIG_IP_NF_MATCH_STATE=m
199	> CONFIG_IP_NF_MATCH_CONNTRACK=m
200	> CONFIG_IP_NF_MATCH_UNCLEAN=m
201	> # CONFIG_IP_NF_MATCH_OWNER is not set
202	> CONFIG_IP_NF_FILTER=m
203	> CONFIG_IP_NF_TARGET_REJECT=m
204	> # CONFIG_IP_NF_TARGET_MIRROR is not set
205	> CONFIG_IP_NF_NAT=m
206	> CONFIG_IP_NF_NAT_NEEDED=y
207	> CONFIG_IP_NF_TARGET_MASQUERADE=m
208	> CONFIG_IP_NF_TARGET_REDIRECT=m
209	> CONFIG_IP_NF_NAT_AMANDA=m
210	> CONFIG_IP_NF_NAT_LOCAL=y
211	> # CONFIG_IP_NF_NAT_SNMP_BASIC is not set
212	> CONFIG_IP_NF_NAT_FTP=m
213	> CONFIG_IP_NF_NAT_TFTP=m
214	> CONFIG_IP_NF_MANGLE=m
215	> CONFIG_IP_NF_TARGET_TOS=m
216	> CONFIG_IP_NF_TARGET_ECN=m
217	> CONFIG_IP_NF_TARGET_DSCP=m
218	> CONFIG_IP_NF_TARGET_MARK=m
219	> CONFIG_IP_NF_TARGET_LOG=m
220	> CONFIG_IP_NF_TARGET_ULOG=m
221	> CONFIG_IP_NF_TARGET_TCPMSS=m
222	> CONFIG_IP_NF_ARPTABLES=m
223	> CONFIG_IP_NF_ARPFILTER=m
224	> # CONFIG_IP_NF_COMPAT_IPCHAINS is not set
225	> # CONFIG_IP_NF_COMPAT_IPFWADM is not set
226	>
227	> vielen dank schon mal,
228	>
229	> svenna
230	>
231	>
232	> --
233	> gentoo-user-de@g.o mailing list
234	>
235
236	--
237	gentoo-user-de@g.o mailing list