# is gshield supported with 3.3 kernel ?

## Nreal

When i try to start gshield i get

boxi init.d # /etc/init.d/gshield start

 * Loading gShield network firewall ...

Bad argument `eth1'

Try `iptables -h' or 'iptables --help' for more information. 

My gshield conf looks like 

```
#!/bin/sh

# vim: set sw=4 ts=4 et:

# $Id: gShield.conf,v 1.138 2002-05-27 18:37:24-04 godot Exp $

# ------------------------------------------- #

# ----- [ gShield configuration ] ----------- #

# ------------------------------------------- #

#                                             #

# Please make sure you read through the       #

# -entire- configuration                      #

#                                             #

# Kernel-specific network options are         #

# located at the end -- the defaults should   #

# be fine, but they -ARE- configurable         #

# ------------------------------------------- #

# ------------------------------------------- #

# Yes, this config is somewhat long, but      #

# it will serve you well to go through the    #

# whole thing -- the defaults are fine for    #

# most folks, and "out of the box" gShield    #

# will:                                       #

#                                             #

#    - allow identd connections               #

#    - set sane limits for pings              #

#    - provide NAT/IPmasq for 192.168.1.0/24  #

#                                             #

# ------------------------------------------- #

# ------------------------------------------- #

# If you have specific commands or rules      #

# which you need gShield to run, you have two #

# options:                                    #

#                                             #

# create "gshield.first" in FW_ROOT           #

#                                             #

#     - gShield sources this file "first"     #

#       immediately after flushing the fw     #

#                                             #

# create "gshield.last" in FW_ROOT            #

#                                             #

#     - gShield will source this file         #

#       as the last act it does               #

#                                             #

# Hopefully this will give folks flexibility  #

# if they have customized commands/rules      #

# ------------------------------------------- #

# ------------------------------------------- #

# Firewall root                               #

# Location of gShield installation            #

# --------------------------------------------#

FW_ROOT="/etc/firewall"

# ------------------------------------------- #

# Path to needed programs                     #

# --------------------------------------------#

# gShield tries to auto-detect this, if it's in

# your path.  If this is not the case, and you

# need to manually set this option, it should take

# the following form (for example):

# IPTABLES="/usr/local/sbin/iptables"

# You SHOULD REALLY set this below to

# the actual path to iptables as opposed

# to hoping gShield will figure it out.

# Include the quotes as the example above

# has.

IPTABLES="/sbin/iptables"

# Same with ifconfig below

IFCONFIG="/bin/ifconfig"

# ------------------------------------------- #

# gShield Logging options                     #       

# --------------------------------------------#

# Set SYSLOG to "true" below

# if you wish gShield to also

# log to the system log; otherwise

# gShield will log to STDOUT. 

# this option is for the various

# messages gShield produces when

# starting up, NOT iptables-specific

# logging (which is handled by

# syslogd itself).

# Again, this options has NOTHING

# to do with logs which are generated

# by dropped packets

# you must have "logger" in your

# path for gShield to pull this 

# off. Valid options below are:

# true, false (case sensitive)

# NOTE: this option does NOT have quotes

SYSLOG=false

# ------------------------------------------- #

# Interfaces                                  #       

# --------------------------------------------#

# Which interface connects you

# to the "world"? For PPP users

# this should be ppp0 (for example)

LOCALIF="eth1"

#EXT_DEV="eth1"

# Is your ip STATIC or Dynamic?

# if you use PPPoE or DHCP, keep

# it "NO" -- if it is truly a

# static address, set it to YES

STATIC="YES"

# If this is a multi-homed setup

# (i.e., another interace connects

# to a local LAN), set MULTI="yes"

# below. This adds some logic

# to ensure machines on the LAN

# can access the firewall even if

# they are not listed in NATS

# options: YES, NO

MULTI="YES"

# If the above is yes, set INTIF

# below to the interface which

# connects the locat net

INTIF="eth3"

#INT_DEV="eth3"

# ------------------------------------------- #

# DNS servers                                 #       

# --------------------------------------------#

# DNS servers

# List the DNS servers you use here

# If set to AUTO, gShield will read

# this variable from /etc/resolv.conf

DNS="AUTO"

# ------------------------------------------- #

# Log options for iptables/netfilter          #       

# --------------------------------------------#

# A few thing to remember-- gShield produces

# it's own "messages" on startup, but iptables

# itself logs through the system log (i.e.,

# syslog) -- so, if you tell gShield to log

# packets, iptables will pass the log onto

# syslog for processing. 

# This means if you're getting messages on your console,

# don't want that, you need to look over -syslog.conf-

# to configure what is logged where.  Sylog logs

# by "facility", and you can customize what facility

# gShield sends to syslog a little bit further down.

# [ Logging rate ]

# gShield tries to reduce the amount of logging

# it generates for many cases.

# You can adjust this value as needed below

# This is the -DEFAULT- logging rate for all

# default drops (which defaults to 20 per MINUTE)

LTIME="20/m"

# Should we log reserved addresses? Multicast

# is included here. options: YES, NO

LOG_RESERVED="NO"

# IN GENERAL, do you want a default policy

# of logging dropped packets? options: YES, NO

DEFAULT_LOGGING="NO"

# Additionally, you can specify at what level gShield

# sends logging information to syslog. The default

# should work fine for most folks, but if you want

# to alter this, see the man page for syslog.conf

# NOTE: iptables 1.2.3 prefers this numeric

LOG_LEVEL="4"

# You can also decide to make use of netfilter's

# userspace logging facility (the QUEUE target).

# If you set USE_QUEUE to "YES" below, netfilter

# will pass logging information to the QUEUE -not-

# the standard LOG target. If you don't know what

# If you don't know what this is, set to NO. 

# This will -bypass- many default logging options

# if enabled, and requires specific support in

# the kernel.

USE_QUEUE="NO"

# In addition, gShield can -increase- the amount of

# logging of some common messages relating to

# connection tracking. See netfilter FAQ, section

# 3.1

# This is generally only helpful for 

# diagnostic purposes. Options: YES, NO

NAT_LOG_INVALID="NO"

# ------------------------------------------- #

# How to respond to dropped packets           #       

# --------------------------------------------#

# Set "response" policy.

# gShield provides the option to configure how it

# "responds" to packets it intends to a packet munch..

                

# You have THREE choices for TCP:

   

#   - RESET (send a tcp-reset - the default)

#   - DROP  (drop the packet totally)

#   - REJECT (send a "normal" iptables reject) 

TCP_RESPONSE="DROP"

# You have FOUR choices for UDP:

#   - RESET (send a icmp-port-unreachable - the default)

#   - DROP  (drop the packet totally)

#   - REJECT (send a "normal" iptables reject for UDP) 

#   - PROHIBIT (send icmp-host-prohibited)

UDP_RESPONSE="RESET"

# NOTE: Some folks are convinced dropping packets

# completely makes the firewall "stealthy"; I do not

# share this view - gShield defaults to the "proper"

# responses which would be made if no service were

# listening. But feel free to drop away :)

# ------------------------------------------- #

# DHCP user options                           #       

# --------------------------------------------#

# -[ DHCP Users ] 

# This option allows DHCP requests thru the

# firewall. If you get your main IP via

# a DHCP service (cable user), set this

# to YES

# options: YES, NO

ALLOW_DHCP_LEASES="NO"

# Generally speaking, most providers have 1 or

# 2 DHCP servers which send out the leases.  Since

# we don't want too open access too much, list

# the ips of these DHCP servers below. If you don't

# know the address of these servers, just run the firewall

# and wait a bit-- they'll show up when your DHCP

# lease expires :)

DHCP_SERVERS="192.168.11.101"

# Do you want to log these requests?

# options: YES, NO

LOG_DHCP="YES"

# ------------------------------------------- #

# Time servers                                #       

# --------------------------------------------#

# Having your machine ensure its time is set correctly

# is a good thing. Allow time sync's through?

# options: YES, NO

ALLOW_TIME="YES"

# list the servers here.

TIMESERVERS="132.163.135.130 128.118.25.3 131.107.1.10"

# ------------------------------------------- #

# Blacklisted Clients                         #

# --------------------------------------------#

# if the below is set to "AUTO"

# then gShield will pull out any

# client address listed in hosts.deny

# prefixed by ALL and drop all

# connections from that client.

# If you do not know how to deal

# with hosts.deny see 'man hosts_access'

# there -are- some limitations:

# gShield does not deal with

# whole domains within hosts.deny

# it needs to be a -numeric- or

# range (no more using .aol.com ;p)

# Be advised, if you have whole

# domains listed, iptables will

# spew errors.

# If set to AUTO, gShield WILL NOT

# read black_listed_hosts

# options: AUTO, NORMAL

BLACKLISTED="NORMAL"

# Should we log drops/connections from blacklisted

# hosts (those listed in conf/black_listqed_hosts)

# or in /etc/hosts.deny if BLACKLISTED is set

# to AUTO)

# options: YES, NO

LOG_BLACKLIST="YES"

# ------------------------------------------- #

# Highport access (ports > 1024)              #

# --------------------------------------------#

# By default, gShield drops all highport

# connections via the default policy.  To allow

# -individual- clients access to highports, one

# should add these hosts to conf/highport_access

# (for example, specific irc botnets or whatnot).

# If you want to -disable- this highport protection,

# and allow highports to be accessible to THE WORLD,

# set ALLOW_ALL_HIGHPORT below to "YES"

ALLOW_ALL_HIGHPORT="NO"

# ------------------------------------------- #

# Network Address Translation / IPMasq        #

# --------------------------------------------#

# ------------------------------------------- #

# If you need gShield to provide NAT services #

# (ipmasq of the ipchains era), then set      #

# NAT = to "YES" below -AND- edit             #

# /etc/firewall/conf/NATS  --                 #

# /etc/firewall/conf/NATS needs to have the   #

# private range you wish to NAT for - the     #

# default is 192.168.1.0/24                   #

# ------------------------------------------- #

# options: YES, NO

NAT="NO"

# Some folks have had problems with

# some providers and PPPoE whereby

# NAT'd clients cannot establish

# connections.

# If you think you are experiencing issues

# such as this, install the TCPMSS patch

# from the iptables patch-o-matic source

# and set TCPMSS to "YES" below.

TCPMSS="NO"

# ------------------------------------------- #

# ICMP and Traceroutes                        #

# --------------------------------------------#

# if ICMP_ALLOW_ALL is set to "NO", gShield

# will drop "bad" icmp -- not replying to

# echo requests but still allowing internal

# pings to work correctly.

# Thus, if you set the below to NO, gShield 

# will accept destination-unreachable, 

# time-exceeded, and echo-reply -- and

# drop the rest

#  If you want to reply to ALL icmp, set      

#  ICMP_ALLOW_ALL to "YES"                     

ICMP_ALLOW_ALL="YES"

# EVEN if you allow all ICMP, gShield sets "sane"

# limits on how it goes about accepting ICMP.

# The default is 1 per second; this is configurable

# below -- for most folks, the default is fine

ICMP_RATE="60/m"

# ICMP Logging

# Should we log ICMP drops?

ICMP_LOG="NO"

# If you want to allow traceroutes -to-

# the firewall box, set TRACE_ALLOW_ALL

# to "YES". It is very difficult to completely

# stop traceroutes- gShield blocks the "standard"

# approach if set to NO below

TRACE_ALLOW_ALL="YES"

# ------------------------------------------- #

# Administrative Hosts                        #

# --------------------------------------------#

# gShield allows a host to be listed as 

# -COMPLETELY- trusted with respect to access

# However, it is restrictive -- you

# need BOTH the IP of this host -AND-

# the MAC address of its ethernet card

# Set below to YES if you need an ADMIN host

ADMIN_HOST="NO"

# The host's IP

ADMIN_HOST_IP="192.168.11.6"

# The mac address of the admin host's ethernet

# card. 

# Note: -inappropiate- if the admin host

# is separated from the host machine by a router.

ADMIN_HOST_MAC="09:80:c8:f2:2c:2d"

# ------------------------------------------- #

# Routable protection                         #

# --------------------------------------------#

# If you have a machine BEHIND the firewall

# which have NON-private ips AND you want

# to allow traffic to these machines,

# set HAVE_ROUTABLES to "YES".

# You will ALSO have to ADD the IPS of these machines

# to /etc/firewall/routables/routable_hosts

# AND EDIT /etc/firewall/routables/routables.conf

# options: YES, NO

HAVE_ROUTABLES="YES"

# ------------------------------------------- #

# DMZ                                         #

# --------------------------------------------#

# DMZ'd machine are hosts which gShield should

# allow FULL access to. gShield does NOT

# trust this machines and will drop all connections

# made from them to the firewall itself

# options: YES, NO

# gShield does NOT currently think -private- ip's

# are proper candidates for the DMZ. I am aware

# some folks think this is a fine idea.

HAVE_DMZ="NO"

# Make sure to add the ips of the DMZ'd hosts 

# to /etc/firewall/DMZ/dmz_hosts

# ------------------------------------------- #

# PPTP                                      #

# --------------------------------------------#

# For those wishing to enable PPTP, D. Powell

# was nice enough to send in patches for this

# functionality. I've added restriction policies.

# If you wish to NAT pptp connections, you will

# need to explore the pptp-conntrack-nat.patch

# available in the iptables source.

# options: OPEN, CLOSED, FORWARD, RESTRICTED

# RESTRICTED assumes you -will- forward PPTP

# connections, but ONLY from a specific range as 

# defined in conf/pptp_allowed_hosts

PPTP_SERVICE="CLOSED"

PPTP_HOST="x.x.x.x"

# ------------------------------------------- #

# Transparent Proxy                           #

# --------------------------------------------#

# If you wish to ensure web traffic is pumped thru

# a proxy regardless of the client configuration,

# set ENABLE_TRANSPROXY to "YES" and fill out the rest.

# These are the squid options I enable

# in squid itself:

# http_port, httpd_accel_host, httpd_accel_port, 

# httpd_accel_with_proxy and httpd_accel_uses_host_header

ENABLE_TRANSPROXY="NO"

# port proxy listens on

PROXY_PORT="3128"

# If your proxy is different from the firewall, set 

# its ip here. Same holds when the proxy is on the 

# firewall but listening on a virtual interface

PROXY_HOST="192.168.11.243"

# ------------------------------------------- #

# Common Exploit Matching                     #

# --------------------------------------------#

# Starting with gShield 2.8 -IF- you have 

# the experimental string matching, and want

# to drop connections which match common

# buffer overflow characteristics, you may

# enable this below. This is especially

# useful for protecting webservers and the

# like from "kiddie" attacks.

# gShield will drop any connection in which

# it can match "bad" strings contained

# in conf/global_content_drop

# -------------------------------------------- #

# -- WARNING --------------------------------- #

# -------------------------------------------- #

# The patches for string matching ARE AN

# EXPERIMENTAL PATCH for iptables

# string matching is -expensive-

# as the kernel must inspect the content of

# incoming packets, and enabling matching

# here inspects -ALL- incoming packets

# IF you really want to enable this

# set CHECK_CONTENT to YES

# -------------------------------------------- #

# -- WARNING --------------------------------- #

# -------------------------------------------- #

# Enabling this will check content on -ALL-

# incoming connections

# Don't dispair -- of you want to simply

# protect specific -services- (such as http)

# you CAN restrict string matches to specific

# services (see the service section below)

# There are many good reasons NOT to enable

# such a feature - among them the standard claim

# that this level of inspection has no place

# in a packet filter. Use at your discretion.

CHECK_ALL_CONTENT="NO"

# ------------------------------------------- #

# Services and Port-forwarding                #

# --------------------------------------------#

# Here you can set which services are OPEN and

# accessible to EVERY host, as well as set 

# connections to these services to be forwarded to

# a host behind the firewall.

# Remember, you can ALSO set specific services

# to be accessible ONLY to specific CLIENTS

# see the README for more details on this

# By default gShield -trusts- internal clients

# (as listed in NATS) -- you can thus set a service

# to NO, and still have internal access to that

# service.

# for each service, you have -3- possible 

# options: OPEN, FORWARD or NO

# OPEN      == open to the world

# FORWARD   == open and forward connections to defined host

# NO      == do not open that service

# ------------------------------------------- #

# --- [ FTP ] ------------------------------- #

# ------------------------------------------- #

# Allow FTP connections (either local or forwarded)

# options are OPEN, FORWARD, NO

# To review, OPEN opens the service to the world,

# FORWARD will open the port AND forward connections

# to the ip listed in FTP_HOST, and NO will not

# allow connections to that port.

FTP_SERVICE="NO"

# If you have set FTP_SERVICE to "FORWARD"

# define the host to which you want FTP

# forwarded.

FTP_HOST="192.168.1.6"

# ------------------------------------------- #

# ---[ Web services ] ----------------------- #

# ------------------------------------------- #

# HTTP

# options are OPEN, FORWARD, NO

HTTP_SERVICE="OPEN"

HTTP_HOST="192.168.11.243"   

# -- /// start extra httpd settings

# ------------------------------ #

# -- String Matching for HTTP -- #

# ------------------------------ #

# -IF- you have string matching support 

# you may enable string-specific drops

# for incoming or forwarded HTTP requests.  

# To enable, set HTTP_STRING_MATCH to "YES"

# below. IF YOU enable this option, add 

# the strings you wished to be dropped

# in conf/http_string_drop

HTTP_STRING_MATCH="NO"

# If you want drops due to content matching

# logged, set HTTP_STRING_MATCH_LOG to "YES"

HTTP_STRING_MATCH_LOG="NO"

# -- /// end extra httpd settings

# HTTPS

# options are OPEN, FORWARD, NO

HTTPS_SERVICE="OPEN"

HTTPS_HOST="192.168.11.243"

# ------------------------------------------- #

# --- [ Mail ] ------------------------------ #

# ------------------------------------------- #

# SMTP 

# options are OPEN, FORWARD, NO

SMTP_SERVICE="NO"

SMTP_HOST="x.x.x.x"

# K. Root pointed out there are some cases

# where having a SMTP "proxy" is useful

# If you need to ensure all SMTP connections

# are transparently redirected, enable

# SMTP_PROXY below

# NOTE: this effects -outgoing-

# connections, not incoming.

# Use a SMTP Proxy? Options: YES, NO

SMTP_PROXY="NO"

# If SMTP_PROXY is set to "YES", note

# where SMTP connections should be

# directed

SMTP_PROXY_HOST="x.x.x.x"

# POP 

# options are OPEN, FORWARD, NO

POP_SERVICE="NO"

POP_HOST="x.x.x.x"

# IMAP

# options are OPEN, FORWARD, NO

IMAPD_SERVICE="NO"

IMAPD_HOST=x.x.x.x

# IMAP-SSL

# options are OPEN, FORWARD, NO

IMAPDSSL_SERVICE="NO"

IMAPDSSL_HOST=x.x.x.x

# ------------------------------------------- #

# --- [ DNS ]  ------------------------------ #

# ------------------------------------------- #

# BIND

# BIND options are somewhat different

# from the rest:

# Should we enable the BIND service?

BIND_SERVICE="NO"

# If you set the following to YES, make

# sure you are using proper ACL's for bind

ALLOW_ZONE_TRANSFERS="NO"

# Is bind running locally on the firewall?

LOCAL_BIND="NO"

# Should gShield specifically forward

# bind connections?

FORWARD_BIND="NO"

# To where?

DNS_HOST="x.x.x.x."

# ------------------------------------------- # 

# --- [ Login ]  ---------------------------- #

# ------------------------------------------- #

#--[ sshd ]--

# options are OPEN, FORWARD, NO

SSHD_SERVICE="NO" 

SSHD_HOST="x.x.x.x"

# ------------------------------------------- # 

# --- [ Peer to Peer Services ]  ------------ #

# ------------------------------------------- #

# This is general framework for supporting 

# p2p services such as napster, gnutella,

# musiccity, etc. 

# options are OPEN, FORWARD, NO

P2P_SERVICE="NO"

# What port does the service use?

# NOTE: the example below is for

# musiccity -- you will need to determine

# what port your p2p client uses.

P2P_PORT="8888"

P2P_HOST="192.168.1.2"

# ------------------------------------------- #

# --- [ Interactive logins ] ---------------- #

# ------------------------------------------- #

# Telnet

# options: OPEN, FORWARD, NO

TELNET_SERVICE="NO"

TELNETD_HOST="x.x.x.x"

# ------------------------------------------- #

# --- [ NFS serving ] ----------------------- #

# ------------------------------------------- #

# options:

# OPEN, FORWARD, NO

NFS_SERVICE="NO"

NFS_SERVICE_HOST="192.168.11.243"

# ------------------------------------------- #

# --- [ auth ] ------------------------------ #

# ------------------------------------------- #

# options:

# OPEN, FORWARD, NO, RETURN, REJECT

# auth has the additional options of sending

# a tcp-reset back (RETURN) or a standard REJECT

# regardless of the default gShield response setting

IDENTD_SERVICE="OPEN"

IDENTD_HOST="x.x.x.x"

# ------------------------------------------- #

# ------[ Misc services ] ------------------- #

# ------------------------------------------- #

# options:

# OPEN, FORWARD, NO

# fingerd

FINGER_SERVICE="NO"

FINGER_HOST="x.x.x.x"

# time services

TIME_SERVICE="NO"

TIME_SERVICE_HOST="x.x.x.x"

# In those cases where these services run     

# above the magic 1024 port range, gShield by  

# default will -block- access to those ports  

# unless you specifically open them here.     

# Again, the defaults should be fine for most 

# folks.                                      

# postgresql

# options:

# OPEN, FORWARD, NO

POSTGRES_SERVICE="NO"

POSTGRES_SERVICE_HOST="x.x.x.x"

# mysql

# options:

# OPEN, FORWARD, NO

MYSQL_SERVICE="NO"

MYSQL_SERVICE_HOST="x.x.x.x"

# socks

# options: OPEN, FORWARD, NO

SOCKS_SERVICE="NO"

SOCKS_SERVICE_HOST="x.x.x.x"

# Windows Terminal Server

# Specifically this forwards

# RDP to a protected host

# options: FORWARD, NO

TS_SERVICE="NO"

TS_SERVICE_HOST="x.x.x.x"

# ------------------------------------------- #

# Setting your own port-forwards              #

# ------------------------------------------- #

# Perhaps I don't have your specific service

# listed, or it's some bizarre thing you

# need forwarded. 

# There are several options at this stage.

# you can manually add whatever forwards

# you need to gshield.last, creating the 

# proper rulesets yourself.

# you can generate simple forwards using

# gforward.pl (look in the tools directory)

# and send its output to gshield.last (gforward

# can also parse a configuration file, making this

# somewhat easy to automate).

# you can use the nifty new internal forward

# mapping.  To use this, edit conf/forwards,

# and set FORWARDING below to "YES"

FORWARDING="NO"

# ------------------------------------------- #

# ------ [ custom options] ------------------ #

# ------------------------------------------- #

# -- irc connection tracking

# IF you have irc connection tracking compiled

# as a module (which you should) and you wish

# to enable that functionality, set IRC_MODULE

# below to "YES" and defined the irc ports

# you want "tracked" - define those ports

# WITH the comma as listed below

IRC_MODULE="NO"

IRC_PORTS="6666,6667" 

# ------------------------------------------- #

#  ------ [ ip-sysctl options] -------------- #

# ------------------------------------------- #

# You can find the complete docs for these

# /usr/src/linux/Documentation/networking/ip-sysctl.txt

# If you have no idea about what to put, the defaults

# entered below "should" be fine for most folks.

# perform source validation

ANTI_SPOOF="YES"

# source routing

NO_SOURCE_ROUTE="YES"

# disable ICMP redirects

ICMP_REDIRECT="YES"

# The rate at which echo replies are 

# sent to any one destination. 

# Kernel default is "0" (unlimited)

ICMP_ECHOREPLY_RATE="0"

# log packets with impossible

# addresses

LOG_MARTIANS="YES"

# TCP syncookies

SYN_COOKIES="NO"

# Enable ECN?

ECN="NO"

# Enable timestamps as defined in RFC1323.

TCP_TS="NO"

# ignore ICMP echo broadcasts

ICMP_IGNORE_BROADCASTS="YES"

# ignore bogus icmp errors

ICMP_IGNORE_BOGUS_ERROR="YES"

# ------------------------------------------- #

# ------ [ Language hack  ] ----------------- #

# ------------------------------------------- #

# Many thanks to mtanguy who pointed out

# gShield's method of determining the internal

# network mask is English specific. His solution

# is to clear the LANG setting when gShield

# starts

LANG=""

# ------------------------------------------- #

#  ------ [ TOS  ] -------------------------- #

# ------------------------------------------- #

# gShield does some rudimentary TOS modification

# in the hopes of speeding up interactive traffic

# such as irc, ssh connections and so forth.

# Lots of folks have reported nice improvement

# by enabling this.  

TOS="YES"

# ------------------------------------------- #

#  ------ [ QoS  ] -------------------------- #

# ------------------------------------------- #

# gShield "marks" specific sorts of outgoing

# traffic to make things easier IF you plan

# on doing QoS stuff.  This can also be used

# for various measuring facilities.

# If you do NOT want gShield to do this

# marking, set QOS to OFF below.

QOS="ON"

# I classify "4" types: mail, interactive, web, 

# and games

# - mail is marked "1" : smtp,pop/s,imapd/s

# - interactive is marked "2" : telnet, ssh, irc

# - web is marked "3" : http, https

# - games is marked "4" --> common game ports

# ------------------------------------------- #

#  ------ [ Netbios Leaks  ] ---------------- #

# ------------------------------------------- #

# Make sure we do not "leak" any netbios info

# through the firewall's state tracking

# This should have no effect on internal

# samba.

NOSMB="YES"

# ------------------------------------------- #

# ------ [ Unclean matches  ] --------------- #

# ------------------------------------------- #

# If you want to enable

# tainted matching, set TAINTED to "YES" below

TAINTED_MATCH="NO"

# ------------------------------------------- #

# ------ [ TCP Flag options  ] -------------- #

# ------------------------------------------- #

# This section gives "some" attention to 

# "possible" portscan activity.

# Possible options are "YES" or "NO"

# Block XMAS packets

BLOCK_XMAS="NO"

# Block NULL packets

BLOCK_NULL="NO"

# Block FIN scans

BLOCK_FIN="NO"

# ------------------------------------------- #

# ------ [ Multicast Flag options  ] -------- #

# ------------------------------------------- #

# The default is to drop multicast 

DROP_MULTICAST="YES"

# ------------------------------------------- #

# ------- [ runtime variables  ] ------------ #

# ------------------------------------------- #

#                                             #

# DO NOT alter                                #

#                                             #

# ------------------------------------------- #

RUN="1"

# set DEBUG to "YES" for more

# verbose startup messages

DEBUG="YES"
```

mod edit by i92guboj: added code tags around your config file. Please, use those next time, they improve readability.

----------

## Hu

What is the full command line of the failed iptables command?

----------

## Nreal

How can i find out that full command line of the failed iptables command?

If theres a similiar firewall script that has client host and client services scripts and is as easy to use as gshield i would test that.

I only need firewall to 2 ports and clients have dynamic ip so client hosts are updated by no-ip. Its easy to open these ports by ip but it changes all the time.

Few years ago gshield did the job very well, but now it doesnt start...

 :Question: 

----------

## Hu

 *Nreal wrote:*   

> How can i find out that full command line of the failed iptables command?

 I do not use net-firewall/gshield.  You could probably extract it from the output of /etc/init.d/gshield --debug start, but that will be quite noisy.

 *Nreal wrote:*   

> If theres a similiar firewall script that has client host and client services scripts and is as easy to use as gshield i would test that.
> 
> I only need firewall to 2 ports and clients have dynamic ip so client hosts are updated by no-ip. Its easy to open these ports by ip but it changes all the time.

 Why do you need a firewall script?  This sounds like a task which is simple enough to do by hand.  Supporting peers with dynamic addresses is a mess, since you need to have a separate task periodically update the firewall to handle peer address changes.  Does gshield provide this automated periodic update?

----------

