# traffic shaping with shorewall

## brain salad surgery

when i start shorewall, i get this:

```
RTNETLINK answers: Invalid argument

We have an error talking to the kernel

   ERROR: Command "tc filter add dev ppp0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 340kbps burst 10k drop flowid :1" Failed

/etc/init.d/shorewall: line 14:  8998 Terminated              /sbin/shorewall -f start >/dev/null   

```

obviously, there is a kernel problem...

i use :

```
Linux router 2.6.14-hardened-r7 #26 Tue Feb 6 11:40:09 EST 2007 i686 AMD Athlon(tm) XP 2000+ AuthenticAMD GNU/Linux

```

i cannot really upgrade cause i use the hostap-driver in the kernel which seems to have

changed in the later version and does not work.  So i stick with this version.

All the interfaces are up, and correctly configured (i use my own 

iptable script which works fine, but i want to add traffic shaping

to give priority to some protocols over others.

Let's have a look to the .config

i'm sorry i should have shown only the relevant parts...

```
#

# Automatically generated make config: don't edit

# Linux kernel version: 2.6.14-hardened-r7

# Tue Feb  6 11:27:57 2007

#

CONFIG_X86=y

CONFIG_SEMAPHORE_SLEEPERS=y

CONFIG_MMU=y

CONFIG_UID16=y

CONFIG_GENERIC_ISA_DMA=y

CONFIG_GENERIC_IOMAP=y

CONFIG_ARCH_MAY_HAVE_PC_FDC=y

#

# Code maturity level options

#

CONFIG_EXPERIMENTAL=y

CONFIG_CLEAN_COMPILE=y

CONFIG_BROKEN_ON_SMP=y

CONFIG_INIT_ENV_ARG_LIMIT=32

#

# General setup

#

CONFIG_LOCALVERSION=""

CONFIG_LOCALVERSION_AUTO=y

CONFIG_SWAP=y

CONFIG_SYSVIPC=y

CONFIG_POSIX_MQUEUE=y

# CONFIG_BSD_PROCESS_ACCT is not set

CONFIG_SYSCTL=y

CONFIG_AUDIT=y

CONFIG_AUDITSYSCALL=y

CONFIG_HOTPLUG=y

CONFIG_KOBJECT_UEVENT=y

# CONFIG_IKCONFIG is not set

CONFIG_INITRAMFS_SOURCE=""

# CONFIG_EMBEDDED is not set

CONFIG_KALLSYMS=y

# CONFIG_KALLSYMS_EXTRA_PASS is not set

CONFIG_PRINTK=y

CONFIG_BUG=y

CONFIG_BASE_FULL=y

CONFIG_FUTEX=y

CONFIG_EPOLL=y

CONFIG_SHMEM=y

CONFIG_CC_ALIGN_FUNCTIONS=0

CONFIG_CC_ALIGN_LABELS=0

CONFIG_CC_ALIGN_LOOPS=0

CONFIG_CC_ALIGN_JUMPS=0

# CONFIG_TINY_SHMEM is not set

CONFIG_BASE_SMALL=0

#

# Loadable module support

#

CONFIG_MODULES=y

CONFIG_MODULE_UNLOAD=y

CONFIG_MODULE_FORCE_UNLOAD=y

CONFIG_OBSOLETE_MODPARM=y

# CONFIG_MODVERSIONS is not set

# CONFIG_MODULE_SRCVERSION_ALL is not set

CONFIG_KMOD=y

#

# Processor type and features

#

CONFIG_X86_PC=y

# CONFIG_X86_ELAN is not set

# CONFIG_X86_VOYAGER is not set

# CONFIG_X86_NUMAQ is not set

# CONFIG_X86_SUMMIT is not set

# CONFIG_X86_BIGSMP is not set

# CONFIG_X86_VISWS is not set

# CONFIG_X86_GENERICARCH is not set

# CONFIG_X86_ES7000 is not set

# CONFIG_M386 is not set

# CONFIG_M486 is not set

# CONFIG_M586 is not set

# CONFIG_M586TSC is not set

# CONFIG_M586MMX is not set

# CONFIG_M686 is not set

# CONFIG_MPENTIUMII is not set

# CONFIG_MPENTIUMIII is not set

# CONFIG_MPENTIUMM is not set

# CONFIG_MPENTIUM4 is not set

# CONFIG_MK6 is not set

CONFIG_MK7=y

# CONFIG_MK8 is not set

# CONFIG_MCRUSOE is not set

# CONFIG_MEFFICEON is not set

# CONFIG_MWINCHIPC6 is not set

# CONFIG_MWINCHIP2 is not set

# CONFIG_MWINCHIP3D is not set

# CONFIG_MGEODEGX1 is not set

# CONFIG_MCYRIXIII is not set

# CONFIG_MVIAC3_2 is not set

CONFIG_X86_GENERIC=y

CONFIG_X86_CMPXCHG=y

CONFIG_X86_XADD=y

CONFIG_X86_L1_CACHE_SHIFT=7

CONFIG_RWSEM_XCHGADD_ALGORITHM=y

CONFIG_GENERIC_CALIBRATE_DELAY=y

CONFIG_X86_WP_WORKS_OK=y

CONFIG_X86_INVLPG=y

CONFIG_X86_BSWAP=y

CONFIG_X86_POPAD_OK=y

CONFIG_X86_ALIGNMENT_16=y

CONFIG_X86_GOOD_APIC=y

CONFIG_X86_INTEL_USERCOPY=y

CONFIG_X86_USE_PPRO_CHECKSUM=y

CONFIG_X86_USE_3DNOW=y

CONFIG_HPET_TIMER=y

CONFIG_HPET_EMULATE_RTC=y

# CONFIG_SMP is not set

CONFIG_PREEMPT_NONE=y

# CONFIG_PREEMPT_VOLUNTARY is not set

# CONFIG_PREEMPT is not set

# CONFIG_X86_UP_APIC is not set

CONFIG_X86_TSC=y

CONFIG_X86_MCE=y

CONFIG_X86_MCE_NONFATAL=y

# CONFIG_TOSHIBA is not set

# CONFIG_I8K is not set

CONFIG_X86_REBOOTFIXUPS=y

CONFIG_MICROCODE=y

CONFIG_X86_MSR=y

CONFIG_X86_CPUID=y

#

# Firmware Drivers

#

# CONFIG_EDD is not set

# CONFIG_DELL_RBU is not set

CONFIG_DCDBAS=m

CONFIG_NOHIGHMEM=y

# CONFIG_HIGHMEM4G is not set

# CONFIG_HIGHMEM64G is not set

CONFIG_SELECT_MEMORY_MODEL=y

CONFIG_FLATMEM_MANUAL=y

# CONFIG_DISCONTIGMEM_MANUAL is not set

# CONFIG_SPARSEMEM_MANUAL is not set

CONFIG_FLATMEM=y

CONFIG_FLAT_NODE_MEM_MAP=y

# CONFIG_SPARSEMEM_STATIC is not set

CONFIG_MATH_EMULATION=y

CONFIG_MTRR=y

# CONFIG_EFI is not set

# CONFIG_REGPARM is not set

CONFIG_SECCOMP=y

# CONFIG_HZ_100 is not set

CONFIG_HZ_250=y

# CONFIG_HZ_1000 is not set

CONFIG_HZ=250

CONFIG_PHYSICAL_START=0x100000

# CONFIG_KEXEC is not set

#

# Power management options (ACPI, APM)

#

CONFIG_PM=y

# CONFIG_PM_DEBUG is not set

# CONFIG_SOFTWARE_SUSPEND is not set

#

# ACPI (Advanced Configuration and Power Interface) Support

#

CONFIG_ACPI=y

CONFIG_ACPI_SLEEP=y

CONFIG_ACPI_SLEEP_PROC_FS=y

# CONFIG_ACPI_SLEEP_PROC_SLEEP is not set

CONFIG_ACPI_AC=y

CONFIG_ACPI_BATTERY=y

CONFIG_ACPI_BUTTON=y

CONFIG_ACPI_VIDEO=y

# CONFIG_ACPI_HOTKEY is not set

CONFIG_ACPI_FAN=y

CONFIG_ACPI_PROCESSOR=y

CONFIG_ACPI_THERMAL=y

# CONFIG_ACPI_ASUS is not set

CONFIG_ACPI_IBM=y

# CONFIG_ACPI_TOSHIBA is not set

CONFIG_ACPI_BLACKLIST_YEAR=0

# CONFIG_ACPI_DEBUG is not set

CONFIG_ACPI_EC=y

CONFIG_ACPI_POWER=y

CONFIG_ACPI_SYSTEM=y

# CONFIG_X86_PM_TIMER is not set

# CONFIG_ACPI_CONTAINER is not set

#

# APM (Advanced Power Management) BIOS Support

#

# CONFIG_APM is not set

#

# CPU Frequency scaling

#

# CONFIG_CPU_FREQ is not set

#

# Bus options (PCI, PCMCIA, EISA, MCA, ISA)

#

CONFIG_PCI=y

# CONFIG_PCI_GOBIOS is not set

# CONFIG_PCI_GOMMCONFIG is not set

# CONFIG_PCI_GODIRECT is not set

CONFIG_PCI_GOANY=y

CONFIG_PCI_DIRECT=y

CONFIG_PCI_MMCONFIG=y

# CONFIG_PCIEPORTBUS is not set

CONFIG_PCI_LEGACY_PROC=y

CONFIG_ISA_DMA_API=y

CONFIG_ISA=y

# CONFIG_EISA is not set

# CONFIG_MCA is not set

# CONFIG_SCx200 is not set

#

# PCCARD (PCMCIA/CardBus) support

#

# CONFIG_PCCARD is not set

#

# PCI Hotplug Support

#

# CONFIG_HOTPLUG_PCI is not set

#

# Executable file formats

#

CONFIG_BINFMT_ELF=y

CONFIG_BINFMT_AOUT=y

CONFIG_BINFMT_MISC=y

#

# Networking

#

CONFIG_NET=y

#

# Networking options

#

CONFIG_PACKET=y

CONFIG_PACKET_MMAP=y

CONFIG_UNIX=y

# CONFIG_NET_KEY is not set

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

# CONFIG_IP_ADVANCED_ROUTER is not set

CONFIG_IP_FIB_HASH=y

# CONFIG_IP_PNP is not set

# CONFIG_NET_IPIP is not set

# CONFIG_NET_IPGRE is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

# CONFIG_SYN_COOKIES is not set

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

# CONFIG_INET_TUNNEL is not set

# CONFIG_INET_DIAG is not set

# CONFIG_TCP_CONG_ADVANCED is not set

CONFIG_TCP_CONG_BIC=y

#

# IP: Virtual Server Configuration

#

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

CONFIG_NETFILTER=y

CONFIG_NETFILTER_DEBUG=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=y

CONFIG_NETFILTER_NETLINK_LOG=y

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_CT_ACCT=y

CONFIG_IP_NF_CONNTRACK_MARK=y

CONFIG_IP_NF_CONNTRACK_EVENTS=y

CONFIG_IP_NF_CONNTRACK_NETLINK=y

CONFIG_IP_NF_CT_PROTO_SCTP=y

CONFIG_IP_NF_FTP=y

CONFIG_IP_NF_IRC=y

CONFIG_IP_NF_NETBIOS_NS=y

CONFIG_IP_NF_TFTP=y

CONFIG_IP_NF_AMANDA=y

CONFIG_IP_NF_PPTP=y

CONFIG_IP_NF_QUEUE=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_LIMIT=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_MAC=y

CONFIG_IP_NF_MATCH_PKTTYPE=y

CONFIG_IP_NF_MATCH_MARK=y

CONFIG_IP_NF_MATCH_MULTIPORT=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_DSCP=y

CONFIG_IP_NF_MATCH_AH_ESP=y

CONFIG_IP_NF_MATCH_LENGTH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_TCPMSS=y

CONFIG_IP_NF_MATCH_STEALTH=y

CONFIG_IP_NF_MATCH_HELPER=y

CONFIG_IP_NF_MATCH_STATE=y

CONFIG_IP_NF_MATCH_CONNTRACK=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_MATCH_REALM=y

CONFIG_IP_NF_MATCH_SCTP=y

CONFIG_IP_NF_MATCH_DCCP=y

CONFIG_IP_NF_MATCH_COMMENT=y

CONFIG_IP_NF_MATCH_CONNMARK=y

CONFIG_IP_NF_MATCH_CONNBYTES=y

CONFIG_IP_NF_MATCH_HASHLIMIT=y

CONFIG_IP_NF_MATCH_STRING=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_TARGET_NFQUEUE=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

CONFIG_IP_NF_NAT_SNMP_BASIC=y

CONFIG_IP_NF_NAT_IRC=y

CONFIG_IP_NF_NAT_FTP=y

CONFIG_IP_NF_NAT_TFTP=y

CONFIG_IP_NF_NAT_AMANDA=y

CONFIG_IP_NF_NAT_PPTP=y

CONFIG_IP_NF_MANGLE=y

CONFIG_IP_NF_TARGET_TOS=y

CONFIG_IP_NF_TARGET_ECN=y

CONFIG_IP_NF_TARGET_DSCP=y

CONFIG_IP_NF_TARGET_MARK=y

CONFIG_IP_NF_TARGET_CLASSIFY=y

CONFIG_IP_NF_TARGET_TTL=y

CONFIG_IP_NF_TARGET_CONNMARK=y

CONFIG_IP_NF_TARGET_CLUSTERIP=y

CONFIG_IP_NF_RAW=y

CONFIG_IP_NF_TARGET_NOTRACK=y

CONFIG_IP_NF_ARPTABLES=y

CONFIG_IP_NF_ARPFILTER=y

CONFIG_IP_NF_ARP_MANGLE=y

#

# DECnet: Netfilter Configuration

#

# CONFIG_DECNET_NF_GRABULATOR is not set

#

# DCCP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_DCCP is not set

#

# SCTP Configuration (EXPERIMENTAL)

#

# CONFIG_IP_SCTP is not set

# CONFIG_ATM is not set

# CONFIG_BRIDGE is not set

# CONFIG_VLAN_8021Q is not set

CONFIG_DECNET=m

# CONFIG_DECNET_ROUTER is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_NET_DIVERT is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

CONFIG_NET_SCHED=y

CONFIG_NET_SCH_CLK_JIFFIES=y

# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set

# CONFIG_NET_SCH_CLK_CPU is not set

CONFIG_NET_SCH_CBQ=m

CONFIG_NET_SCH_HTB=m

CONFIG_NET_SCH_HFSC=m

CONFIG_NET_SCH_PRIO=m

CONFIG_NET_SCH_RED=m

CONFIG_NET_SCH_SFQ=m

CONFIG_NET_SCH_TEQL=m

CONFIG_NET_SCH_TBF=m

CONFIG_NET_SCH_GRED=m

CONFIG_NET_SCH_DSMARK=m

CONFIG_NET_SCH_NETEM=m

CONFIG_NET_SCH_INGRESS=m

CONFIG_NET_QOS=y

CONFIG_NET_ESTIMATOR=y

CONFIG_NET_CLS=y

# CONFIG_NET_CLS_BASIC is not set

CONFIG_NET_CLS_TCINDEX=m

CONFIG_NET_CLS_ROUTE4=m

CONFIG_NET_CLS_ROUTE=y

# CONFIG_NET_CLS_FW is not set

# CONFIG_NET_CLS_U32 is not set

# CONFIG_NET_CLS_RSVP is not set

# CONFIG_NET_CLS_RSVP6 is not set

# CONFIG_NET_EMATCH is not set

# CONFIG_NET_CLS_ACT is not set

# CONFIG_NET_CLS_POLICE is not set

#

# Network testing

#

# CONFIG_NET_PKTGEN is not set

# CONFIG_HAMRADIO is not set

# CONFIG_IRDA is not set

# CONFIG_BT is not set

CONFIG_IEEE80211=y

# CONFIG_IEEE80211_DEBUG is not set

CONFIG_IEEE80211_CRYPT_WEP=y

CONFIG_IEEE80211_CRYPT_CCMP=y

CONFIG_IEEE80211_CRYPT_TKIP=y

#

# Device Drivers

#

#

# Generic Driver Options

#

CONFIG_STANDALONE=y

CONFIG_PREVENT_FIRMWARE_BUILD=y

CONFIG_FW_LOADER=m

#

# Connector - unified userspace <-> kernelspace linker

#

# CONFIG_CONNECTOR is not set

#

# Memory Technology Devices (MTD)

#

# CONFIG_MTD is not set

#

# Parallel port support

#

CONFIG_PARPORT=y

CONFIG_PARPORT_PC=y

# CONFIG_PARPORT_SERIAL is not set

# CONFIG_PARPORT_PC_FIFO is not set

# CONFIG_PARPORT_PC_SUPERIO is not set

# CONFIG_PARPORT_GSC is not set

# CONFIG_PARPORT_1284 is not set

#

# Plug and Play support

#

CONFIG_PNP=y

# CONFIG_PNP_DEBUG is not set

#

# Protocols

#

# CONFIG_ISAPNP is not set

CONFIG_PNPBIOS=y

CONFIG_PNPBIOS_PROC_FS=y

CONFIG_PNPACPI=y

#

# Block devices

#

CONFIG_BLK_DEV_FD=y

# CONFIG_BLK_DEV_XD is not set

# CONFIG_PARIDE is not set

# CONFIG_BLK_CPQ_DA is not set

# CONFIG_BLK_CPQ_CISS_DA is not set

# CONFIG_BLK_DEV_DAC960 is not set

# CONFIG_BLK_DEV_UMEM is not set

# CONFIG_BLK_DEV_COW_COMMON is not set

CONFIG_BLK_DEV_LOOP=y

CONFIG_BLK_DEV_CRYPTOLOOP=y

# CONFIG_BLK_DEV_NBD is not set

# CONFIG_BLK_DEV_SX8 is not set

# CONFIG_BLK_DEV_UB is not set

# CONFIG_BLK_DEV_RAM is not set

CONFIG_BLK_DEV_RAM_COUNT=16

CONFIG_LBD=y

# CONFIG_CDROM_PKTCDVD is not set

#

# IO Schedulers

#

CONFIG_IOSCHED_NOOP=y

CONFIG_IOSCHED_AS=y

CONFIG_IOSCHED_DEADLINE=y

CONFIG_IOSCHED_CFQ=y

# CONFIG_ATA_OVER_ETH is not set

#

# ATA/ATAPI/MFM/RLL support

#

CONFIG_IDE=y

CONFIG_BLK_DEV_IDE=y

#

# Please see Documentation/ide.txt for help/info on IDE drives

#

# CONFIG_BLK_DEV_IDE_SATA is not set

# CONFIG_BLK_DEV_HD_IDE is not set

CONFIG_BLK_DEV_IDEDISK=y

CONFIG_IDEDISK_MULTI_MODE=y

CONFIG_BLK_DEV_IDECD=y

# CONFIG_BLK_DEV_IDETAPE is not set

# CONFIG_BLK_DEV_IDEFLOPPY is not set

# CONFIG_BLK_DEV_IDESCSI is not set

# CONFIG_IDE_TASK_IOCTL is not set

#

# IDE chipset support/bugfixes

#

CONFIG_IDE_GENERIC=y

CONFIG_BLK_DEV_CMD640=y

# CONFIG_BLK_DEV_CMD640_ENHANCED is not set

# CONFIG_BLK_DEV_IDEPNP is not set

CONFIG_BLK_DEV_IDEPCI=y

CONFIG_IDEPCI_SHARE_IRQ=y

# CONFIG_BLK_DEV_OFFBOARD is not set

CONFIG_BLK_DEV_GENERIC=y

# CONFIG_BLK_DEV_OPTI621 is not set

# CONFIG_BLK_DEV_RZ1000 is not set

CONFIG_BLK_DEV_IDEDMA_PCI=y

CONFIG_BLK_DEV_IDEDMA_FORCED=y

CONFIG_IDEDMA_PCI_AUTO=y

# CONFIG_IDEDMA_ONLYDISK is not set

# CONFIG_BLK_DEV_AEC62XX is not set

# CONFIG_BLK_DEV_ALI15X3 is not set

CONFIG_BLK_DEV_AMD74XX=y

# CONFIG_BLK_DEV_ATIIXP is not set

# CONFIG_BLK_DEV_CMD64X is not set

# CONFIG_BLK_DEV_TRIFLEX is not set

# CONFIG_BLK_DEV_CY82C693 is not set

# CONFIG_BLK_DEV_CS5520 is not set

# CONFIG_BLK_DEV_CS5530 is not set

# CONFIG_BLK_DEV_HPT34X is not set

# CONFIG_BLK_DEV_HPT366 is not set

# CONFIG_BLK_DEV_SC1200 is not set

# CONFIG_BLK_DEV_PIIX is not set

# CONFIG_BLK_DEV_IT821X is not set

# CONFIG_BLK_DEV_NS87415 is not set

# CONFIG_BLK_DEV_PDC202XX_OLD is not set

# CONFIG_BLK_DEV_PDC202XX_NEW is not set

# CONFIG_BLK_DEV_SVWKS is not set

# CONFIG_BLK_DEV_SIIMAGE is not set

# CONFIG_BLK_DEV_SIS5513 is not set

# CONFIG_BLK_DEV_SLC90E66 is not set

# CONFIG_BLK_DEV_TRM290 is not set

# CONFIG_BLK_DEV_VIA82CXXX is not set

# CONFIG_IDE_ARM is not set

# CONFIG_IDE_CHIPSETS is not set

CONFIG_BLK_DEV_IDEDMA=y

# CONFIG_IDEDMA_IVB is not set

CONFIG_IDEDMA_AUTO=y

# CONFIG_BLK_DEV_HD is not set

#

# SCSI device support

#

# CONFIG_RAID_ATTRS is not set

CONFIG_SCSI=y

CONFIG_SCSI_PROC_FS=y

#

# SCSI support type (disk, tape, CD-ROM)

#

CONFIG_BLK_DEV_SD=y

# CONFIG_CHR_DEV_ST is not set

# CONFIG_CHR_DEV_OSST is not set

# CONFIG_BLK_DEV_SR is not set

CONFIG_CHR_DEV_SG=y

# CONFIG_CHR_DEV_SCH is not set

#

# Some SCSI devices (e.g. CD jukebox) support multiple LUNs

#

CONFIG_SCSI_MULTI_LUN=y

# CONFIG_SCSI_CONSTANTS is not set

# CONFIG_SCSI_LOGGING is not set

#

# SCSI Transport Attributes

#

# CONFIG_SCSI_SPI_ATTRS is not set

# CONFIG_SCSI_FC_ATTRS is not set

# CONFIG_SCSI_ISCSI_ATTRS is not set

# CONFIG_SCSI_SAS_ATTRS is not set

#

# SCSI low-level drivers

#

# CONFIG_BLK_DEV_3W_XXXX_RAID is not set

# CONFIG_SCSI_3W_9XXX is not set

# CONFIG_SCSI_7000FASST is not set

# CONFIG_SCSI_ACARD is not set

# CONFIG_SCSI_AHA152X is not set

# CONFIG_SCSI_AHA1542 is not set

# CONFIG_SCSI_AACRAID is not set

# CONFIG_SCSI_AIC7XXX is not set

# CONFIG_SCSI_AIC7XXX_OLD is not set

# CONFIG_SCSI_AIC79XX is not set

CONFIG_SCSI_DPT_I2O=m

# CONFIG_SCSI_IN2000 is not set

# CONFIG_MEGARAID_NEWGEN is not set

# CONFIG_MEGARAID_LEGACY is not set

# CONFIG_MEGARAID_SAS is not set

CONFIG_SCSI_SATA=y

# CONFIG_SCSI_SATA_AHCI is not set

# CONFIG_SCSI_SATA_SVW is not set

CONFIG_SCSI_ATA_PIIX=y

# CONFIG_SCSI_SATA_MV is not set

# CONFIG_SCSI_SATA_NV is not set

# CONFIG_SCSI_SATA_PROMISE is not set

# CONFIG_SCSI_SATA_QSTOR is not set

CONFIG_SCSI_SATA_SX4=m

# CONFIG_SCSI_SATA_SIL is not set

CONFIG_SCSI_SATA_SIS=m

# CONFIG_SCSI_SATA_ULI is not set

# CONFIG_SCSI_SATA_VIA is not set

# CONFIG_SCSI_SATA_VITESSE is not set

CONFIG_SCSI_SATA_INTEL_COMBINED=y

# CONFIG_SCSI_BUSLOGIC is not set

# CONFIG_SCSI_DMX3191D is not set

# CONFIG_SCSI_DTC3280 is not set

# CONFIG_SCSI_EATA is not set

# CONFIG_SCSI_FUTURE_DOMAIN is not set

# CONFIG_SCSI_GDTH is not set

# CONFIG_SCSI_GENERIC_NCR5380 is not set

# CONFIG_SCSI_GENERIC_NCR5380_MMIO is not set

# CONFIG_SCSI_IPS is not set

# CONFIG_SCSI_INITIO is not set

# CONFIG_SCSI_INIA100 is not set

# CONFIG_SCSI_PPA is not set

# CONFIG_SCSI_IMM is not set

# CONFIG_SCSI_NCR53C406A is not set

# CONFIG_SCSI_SYM53C8XX_2 is not set

CONFIG_SCSI_IPR=m

# CONFIG_SCSI_IPR_TRACE is not set

# CONFIG_SCSI_IPR_DUMP is not set

# CONFIG_SCSI_PAS16 is not set

# CONFIG_SCSI_PSI240I is not set

# CONFIG_SCSI_QLOGIC_FAS is not set

# CONFIG_SCSI_QLOGIC_FC is not set

# CONFIG_SCSI_QLOGIC_1280 is not set

CONFIG_SCSI_QLA2XXX=y

# CONFIG_SCSI_QLA21XX is not set

# CONFIG_SCSI_QLA22XX is not set

# CONFIG_SCSI_QLA2300 is not set

# CONFIG_SCSI_QLA2322 is not set

# CONFIG_SCSI_QLA6312 is not set

# CONFIG_SCSI_QLA24XX is not set

# CONFIG_SCSI_LPFC is not set

# CONFIG_SCSI_SYM53C416 is not set

# CONFIG_SCSI_DC395x is not set

# CONFIG_SCSI_DC390T is not set

# CONFIG_SCSI_T128 is not set

# CONFIG_SCSI_U14_34F is not set

# CONFIG_SCSI_ULTRASTOR is not set

# CONFIG_SCSI_NSP32 is not set

# CONFIG_SCSI_DEBUG is not set

#

# Old CD-ROM drivers (not SCSI, not IDE)

#

# CONFIG_CD_NO_IDESCSI is not set

#

# Multi-device support (RAID and LVM)

#

# CONFIG_MD is not set

#

# Fusion MPT device support

#

# CONFIG_FUSION is not set

# CONFIG_FUSION_SPI is not set

# CONFIG_FUSION_FC is not set

# CONFIG_FUSION_SAS is not set

#

# IEEE 1394 (FireWire) support

#

CONFIG_IEEE1394=y

#

# Subsystem Options

#

# CONFIG_IEEE1394_VERBOSEDEBUG is not set

# CONFIG_IEEE1394_OUI_DB is not set

# CONFIG_IEEE1394_EXTRA_CONFIG_ROMS is not set

# CONFIG_IEEE1394_EXPORT_FULL_API is not set

#

# Device Drivers

#

# CONFIG_IEEE1394_PCILYNX is not set

CONFIG_IEEE1394_OHCI1394=y

#

# Protocol Drivers

#

# CONFIG_IEEE1394_VIDEO1394 is not set

# CONFIG_IEEE1394_SBP2 is not set

# CONFIG_IEEE1394_ETH1394 is not set

# CONFIG_IEEE1394_DV1394 is not set

CONFIG_IEEE1394_RAWIO=y

# CONFIG_IEEE1394_CMP is not set

#

# I2O device support

#

# CONFIG_I2O is not set

#

# Network device support

#

CONFIG_NETDEVICES=y

CONFIG_DUMMY=m

# CONFIG_BONDING is not set

# CONFIG_EQUALIZER is not set

# CONFIG_TUN is not set

# CONFIG_NET_SB1000 is not set

#

# ARCnet devices

#

# CONFIG_ARCNET is not set

#

# PHY device support

#

# CONFIG_PHYLIB is not set

#

# Ethernet (10 or 100Mbit)

#

CONFIG_NET_ETHERNET=y

CONFIG_MII=y

# CONFIG_HAPPYMEAL is not set

# CONFIG_SUNGEM is not set

# CONFIG_CASSINI is not set

CONFIG_NET_VENDOR_3COM=y

# CONFIG_EL1 is not set

# CONFIG_EL2 is not set

# CONFIG_ELPLUS is not set

# CONFIG_EL16 is not set

# CONFIG_EL3 is not set

# CONFIG_3C515 is not set

CONFIG_VORTEX=y

# CONFIG_TYPHOON is not set

# CONFIG_LANCE is not set

# CONFIG_NET_VENDOR_SMC is not set

# CONFIG_NET_VENDOR_RACAL is not set

#

# Tulip family network device support

#

# CONFIG_NET_TULIP is not set

# CONFIG_AT1700 is not set

# CONFIG_DEPCA is not set

# CONFIG_HP100 is not set

# CONFIG_NET_ISA is not set

CONFIG_NET_PCI=y

# CONFIG_PCNET32 is not set

# CONFIG_AMD8111_ETH is not set

# CONFIG_ADAPTEC_STARFIRE is not set

# CONFIG_AC3200 is not set

# CONFIG_APRICOT is not set

# CONFIG_B44 is not set

CONFIG_FORCEDETH=y

# CONFIG_CS89x0 is not set

# CONFIG_DGRS is not set

# CONFIG_EEPRO100 is not set

# CONFIG_E100 is not set

# CONFIG_FEALNX is not set

# CONFIG_NATSEMI is not set

# CONFIG_NE2K_PCI is not set

# CONFIG_8139CP is not set

# CONFIG_8139TOO is not set

# CONFIG_SIS900 is not set

# CONFIG_EPIC100 is not set

# CONFIG_SUNDANCE is not set

# CONFIG_TLAN is not set

# CONFIG_VIA_RHINE is not set

# CONFIG_NET_POCKET is not set

#

# Ethernet (1000 Mbit)

#

# CONFIG_ACENIC is not set

# CONFIG_DL2K is not set

# CONFIG_E1000 is not set

# CONFIG_NS83820 is not set

# CONFIG_HAMACHI is not set

# CONFIG_YELLOWFIN is not set

# CONFIG_R8169 is not set

# CONFIG_SIS190 is not set

# CONFIG_SKGE is not set

# CONFIG_SK98LIN is not set

# CONFIG_VIA_VELOCITY is not set

# CONFIG_TIGON3 is not set

# CONFIG_BNX2 is not set

#

# Ethernet (10000 Mbit)

#

# CONFIG_CHELSIO_T1 is not set

# CONFIG_IXGB is not set

CONFIG_S2IO=m

# CONFIG_S2IO_NAPI is not set

# CONFIG_2BUFF_MODE is not set

#

# Token Ring devices

#

# CONFIG_TR is not set

#

# Wireless LAN (non-hamradio)

#

CONFIG_NET_RADIO=y

#

# Obsolete Wireless cards support (pre-802.11)

#

# CONFIG_STRIP is not set

# CONFIG_ARLAN is not set

# CONFIG_WAVELAN is not set

#

# Wireless 802.11b ISA/PCI cards support

#

# CONFIG_IPW2100 is not set

# CONFIG_IPW2200 is not set

# CONFIG_AIRO is not set

# CONFIG_HERMES is not set

# CONFIG_ATMEL is not set

#

# Prism GT/Duette 802.11(a/b/g) PCI/Cardbus support

#

# CONFIG_PRISM54 is not set

CONFIG_HOSTAP=y

CONFIG_HOSTAP_FIRMWARE=y

CONFIG_HOSTAP_PLX=m

CONFIG_HOSTAP_PCI=m

CONFIG_NET_WIRELESS=y

#

# Wan interfaces

#

# CONFIG_WAN is not set

# CONFIG_FDDI is not set

# CONFIG_HIPPI is not set

# CONFIG_PLIP is not set

CONFIG_PPP=y

CONFIG_PPP_MULTILINK=y

CONFIG_PPP_FILTER=y

CONFIG_PPP_ASYNC=y

# CONFIG_PPP_SYNC_TTY is not set

CONFIG_PPP_DEFLATE=y

CONFIG_PPP_BSDCOMP=y

# CONFIG_PPPOE is not set

# CONFIG_SLIP is not set

# CONFIG_NET_FC is not set

# CONFIG_SHAPER is not set

# CONFIG_NETCONSOLE is not set

# CONFIG_NETPOLL is not set

# CONFIG_NET_POLL_CONTROLLER is not set

#

# ISDN subsystem

#

# CONFIG_ISDN is not set

#

# Telephony Support

#

# CONFIG_PHONE is not set

#

# Input device support

#

CONFIG_INPUT=y

#

# Userland interfaces

#

CONFIG_INPUT_MOUSEDEV=y

CONFIG_INPUT_MOUSEDEV_PSAUX=y

CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024

CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768

# CONFIG_INPUT_JOYDEV is not set

# CONFIG_INPUT_TSDEV is not set

# CONFIG_INPUT_EVDEV is not set

# CONFIG_INPUT_EVBUG is not set

#

# Input Device Drivers

#

CONFIG_INPUT_KEYBOARD=y

CONFIG_KEYBOARD_ATKBD=y

# CONFIG_KEYBOARD_SUNKBD is not set

# CONFIG_KEYBOARD_LKKBD is not set

# CONFIG_KEYBOARD_XTKBD is not set

# CONFIG_KEYBOARD_NEWTON is not set

CONFIG_INPUT_MOUSE=y

CONFIG_MOUSE_PS2=y

# CONFIG_MOUSE_SERIAL is not set

# CONFIG_MOUSE_INPORT is not set

# CONFIG_MOUSE_LOGIBM is not set

# CONFIG_MOUSE_PC110PAD is not set

# CONFIG_MOUSE_VSXXXAA is not set

# CONFIG_INPUT_JOYSTICK is not set

# CONFIG_INPUT_TOUCHSCREEN is not set

# CONFIG_INPUT_MISC is not set

#

# Hardware I/O ports

#

CONFIG_SERIO=y

CONFIG_SERIO_I8042=y

# CONFIG_SERIO_SERPORT is not set

# CONFIG_SERIO_CT82C710 is not set

# CONFIG_SERIO_PARKBD is not set

# CONFIG_SERIO_PCIPS2 is not set

CONFIG_SERIO_LIBPS2=y

# CONFIG_SERIO_RAW is not set

# CONFIG_GAMEPORT is not set

#

# Character devices

#

CONFIG_VT=y

CONFIG_VT_CONSOLE=y

CONFIG_HW_CONSOLE=y

# CONFIG_SERIAL_NONSTANDARD is not set

#

# Serial drivers

#

CONFIG_SERIAL_8250=y

# CONFIG_SERIAL_8250_CONSOLE is not set

# CONFIG_SERIAL_8250_ACPI is not set

CONFIG_SERIAL_8250_NR_UARTS=4

# CONFIG_SERIAL_8250_EXTENDED is not set

#

# Non-8250 serial port support

#

CONFIG_SERIAL_CORE=y

# CONFIG_SERIAL_JSM is not set

CONFIG_UNIX98_PTYS=y

CONFIG_LEGACY_PTYS=y

CONFIG_LEGACY_PTY_COUNT=256

CONFIG_PRINTER=y

# CONFIG_LP_CONSOLE is not set

# CONFIG_PPDEV is not set

# CONFIG_TIPAR is not set

#

# IPMI

#

# CONFIG_IPMI_HANDLER is not set

#

# Watchdog Cards

#

# CONFIG_WATCHDOG is not set

# CONFIG_HW_RANDOM is not set

CONFIG_NVRAM=y

CONFIG_RTC=y

# CONFIG_DTLK is not set

# CONFIG_R3964 is not set

# CONFIG_APPLICOM is not set

# CONFIG_SONYPI is not set

#

# Ftape, the floppy tape device driver

#

# CONFIG_FTAPE is not set

CONFIG_AGP=y

# CONFIG_AGP_ALI is not set

# CONFIG_AGP_ATI is not set

# CONFIG_AGP_AMD is not set

# CONFIG_AGP_AMD64 is not set

# CONFIG_AGP_INTEL is not set

CONFIG_AGP_NVIDIA=y

# CONFIG_AGP_SIS is not set

# CONFIG_AGP_SWORKS is not set

# CONFIG_AGP_VIA is not set

# CONFIG_AGP_EFFICEON is not set

# CONFIG_DRM is not set

# CONFIG_MWAVE is not set

# CONFIG_RAW_DRIVER is not set

CONFIG_HPET=y

# CONFIG_HPET_RTC_IRQ is not set

CONFIG_HPET_MMAP=y

# CONFIG_HANGCHECK_TIMER is not set

#

# TPM devices

#

# CONFIG_TCG_TPM is not set

#

# I2C support

#

CONFIG_I2C=y

CONFIG_I2C_CHARDEV=y

#

# I2C Algorithms

#

CONFIG_I2C_ALGOBIT=y

# CONFIG_I2C_ALGOPCF is not set

# CONFIG_I2C_ALGOPCA is not set

#

# I2C Hardware Bus support

#

# CONFIG_I2C_ALI1535 is not set

# CONFIG_I2C_ALI1563 is not set

# CONFIG_I2C_ALI15X3 is not set

# CONFIG_I2C_AMD756 is not set

# CONFIG_I2C_AMD8111 is not set

# CONFIG_I2C_ELEKTOR is not set

# CONFIG_I2C_I801 is not set

# CONFIG_I2C_I810 is not set

# CONFIG_I2C_PIIX4 is not set

CONFIG_I2C_NFORCE2=m

# CONFIG_I2C_PARPORT is not set

# CONFIG_I2C_PARPORT_LIGHT is not set

# CONFIG_I2C_PROSAVAGE is not set

# CONFIG_I2C_SAVAGE4 is not set

# CONFIG_SCx200_ACB is not set

# CONFIG_I2C_SIS5595 is not set

# CONFIG_I2C_SIS630 is not set

# CONFIG_I2C_SIS96X is not set

# CONFIG_I2C_STUB is not set

# CONFIG_I2C_VIA is not set

# CONFIG_I2C_VIAPRO is not set

# CONFIG_I2C_VOODOO3 is not set

# CONFIG_I2C_PCA_ISA is not set

#

# Miscellaneous I2C Chip support

#

# CONFIG_SENSORS_DS1337 is not set

# CONFIG_SENSORS_DS1374 is not set

CONFIG_SENSORS_EEPROM=m

# CONFIG_SENSORS_PCF8574 is not set

# CONFIG_SENSORS_PCA9539 is not set

# CONFIG_SENSORS_PCF8591 is not set

# CONFIG_SENSORS_RTC8564 is not set

# CONFIG_SENSORS_MAX6875 is not set

# CONFIG_I2C_DEBUG_CORE is not set

# CONFIG_I2C_DEBUG_ALGO is not set

# CONFIG_I2C_DEBUG_BUS is not set

# CONFIG_I2C_DEBUG_CHIP is not set

#

# Dallas's 1-wire bus

#

# CONFIG_W1 is not set

#

# Hardware Monitoring support

#

CONFIG_HWMON=y

CONFIG_HWMON_VID=m

# CONFIG_SENSORS_ADM1021 is not set

# CONFIG_SENSORS_ADM1025 is not set

# CONFIG_SENSORS_ADM1026 is not set

# CONFIG_SENSORS_ADM1031 is not set

# CONFIG_SENSORS_ADM9240 is not set

CONFIG_SENSORS_ASB100=m

# CONFIG_SENSORS_ATXP1 is not set

# CONFIG_SENSORS_DS1621 is not set

# CONFIG_SENSORS_FSCHER is not set

# CONFIG_SENSORS_FSCPOS is not set

# CONFIG_SENSORS_GL518SM is not set

# CONFIG_SENSORS_GL520SM is not set

# CONFIG_SENSORS_IT87 is not set

# CONFIG_SENSORS_LM63 is not set

# CONFIG_SENSORS_LM75 is not set

# CONFIG_SENSORS_LM77 is not set

# CONFIG_SENSORS_LM78 is not set

# CONFIG_SENSORS_LM80 is not set

# CONFIG_SENSORS_LM83 is not set

# CONFIG_SENSORS_LM85 is not set

# CONFIG_SENSORS_LM87 is not set

# CONFIG_SENSORS_LM90 is not set

# CONFIG_SENSORS_LM92 is not set

# CONFIG_SENSORS_MAX1619 is not set

# CONFIG_SENSORS_PC87360 is not set

# CONFIG_SENSORS_SIS5595 is not set

# CONFIG_SENSORS_SMSC47M1 is not set

# CONFIG_SENSORS_SMSC47B397 is not set

# CONFIG_SENSORS_VIA686A is not set

# CONFIG_SENSORS_W83781D is not set

# CONFIG_SENSORS_W83792D is not set

CONFIG_SENSORS_W83L785TS=m

# CONFIG_SENSORS_W83627HF is not set

# CONFIG_SENSORS_W83627EHF is not set

# CONFIG_SENSORS_HDAPS is not set

# CONFIG_HWMON_DEBUG_CHIP is not set

#

# Misc devices

#

# CONFIG_IBM_ASM is not set

#

# Multimedia Capabilities Port drivers

#

#

# Multimedia devices

#

# CONFIG_VIDEO_DEV is not set

#

# Digital Video Broadcasting Devices

#

# CONFIG_DVB is not set

#

# Graphics support

#

# CONFIG_FB is not set

# CONFIG_VIDEO_SELECT is not set

#

# Console display driver support

#

CONFIG_VGA_CONSOLE=y

# CONFIG_MDA_CONSOLE is not set

CONFIG_DUMMY_CONSOLE=y

#

# Sound

#

CONFIG_SOUND=y

#

# Advanced Linux Sound Architecture

#

CONFIG_SND=y

CONFIG_SND_TIMER=y

CONFIG_SND_PCM=y

CONFIG_SND_SEQUENCER=y

# CONFIG_SND_SEQ_DUMMY is not set

CONFIG_SND_OSSEMUL=y

CONFIG_SND_MIXER_OSS=y

CONFIG_SND_PCM_OSS=y

CONFIG_SND_SEQUENCER_OSS=y

# CONFIG_SND_RTCTIMER is not set

# CONFIG_SND_VERBOSE_PRINTK is not set

# CONFIG_SND_DEBUG is not set

#

# Generic devices

#

# CONFIG_SND_DUMMY is not set

# CONFIG_SND_VIRMIDI is not set

# CONFIG_SND_MTPAV is not set

# CONFIG_SND_SERIAL_U16550 is not set

# CONFIG_SND_MPU401 is not set

#

# ISA devices

#

# CONFIG_SND_AD1816A is not set

# CONFIG_SND_AD1848 is not set

# CONFIG_SND_CS4231 is not set

# CONFIG_SND_CS4232 is not set

# CONFIG_SND_CS4236 is not set

# CONFIG_SND_ES968 is not set

# CONFIG_SND_ES1688 is not set

# CONFIG_SND_ES18XX is not set

# CONFIG_SND_GUSCLASSIC is not set

# CONFIG_SND_GUSEXTREME is not set

# CONFIG_SND_GUSMAX is not set

# CONFIG_SND_INTERWAVE is not set

# CONFIG_SND_INTERWAVE_STB is not set

# CONFIG_SND_OPTI92X_AD1848 is not set

# CONFIG_SND_OPTI92X_CS4231 is not set

# CONFIG_SND_OPTI93X is not set

# CONFIG_SND_SB8 is not set

# CONFIG_SND_SB16 is not set

# CONFIG_SND_SBAWE is not set

# CONFIG_SND_WAVEFRONT is not set

# CONFIG_SND_ALS100 is not set

# CONFIG_SND_AZT2320 is not set

# CONFIG_SND_CMI8330 is not set

# CONFIG_SND_DT019X is not set

# CONFIG_SND_OPL3SA2 is not set

# CONFIG_SND_SGALAXY is not set

# CONFIG_SND_SSCAPE is not set

CONFIG_SND_AC97_CODEC=y

CONFIG_SND_AC97_BUS=y

#

# PCI devices

#

# CONFIG_SND_ALI5451 is not set

# CONFIG_SND_ATIIXP is not set

# CONFIG_SND_ATIIXP_MODEM is not set

# CONFIG_SND_AU8810 is not set

# CONFIG_SND_AU8820 is not set

# CONFIG_SND_AU8830 is not set

# CONFIG_SND_AZT3328 is not set

# CONFIG_SND_BT87X is not set

# CONFIG_SND_CS46XX is not set

# CONFIG_SND_CS4281 is not set

# CONFIG_SND_EMU10K1 is not set

# CONFIG_SND_EMU10K1X is not set

# CONFIG_SND_CA0106 is not set

# CONFIG_SND_KORG1212 is not set

# CONFIG_SND_MIXART is not set

# CONFIG_SND_NM256 is not set

# CONFIG_SND_RME32 is not set

# CONFIG_SND_RME96 is not set

# CONFIG_SND_RME9652 is not set

# CONFIG_SND_HDSP is not set

# CONFIG_SND_HDSPM is not set

# CONFIG_SND_TRIDENT is not set

# CONFIG_SND_YMFPCI is not set

# CONFIG_SND_AD1889 is not set

# CONFIG_SND_ALS4000 is not set

# CONFIG_SND_CMIPCI is not set

# CONFIG_SND_ENS1370 is not set

# CONFIG_SND_ENS1371 is not set

# CONFIG_SND_ES1938 is not set

# CONFIG_SND_ES1968 is not set

# CONFIG_SND_MAESTRO3 is not set

# CONFIG_SND_FM801 is not set

# CONFIG_SND_ICE1712 is not set

# CONFIG_SND_ICE1724 is not set

CONFIG_SND_INTEL8X0=y

# CONFIG_SND_INTEL8X0M is not set

# CONFIG_SND_SONICVIBES is not set

# CONFIG_SND_VIA82XX is not set

# CONFIG_SND_VIA82XX_MODEM is not set

# CONFIG_SND_VX222 is not set

# CONFIG_SND_HDA_INTEL is not set

#

# USB devices

#

# CONFIG_SND_USB_AUDIO is not set

# CONFIG_SND_USB_USX2Y is not set

#

# Open Sound System

#

# CONFIG_SOUND_PRIME is not set

#

# USB support

#

CONFIG_USB_ARCH_HAS_HCD=y

CONFIG_USB_ARCH_HAS_OHCI=y

CONFIG_USB=y

# CONFIG_USB_DEBUG is not set

#

# Miscellaneous USB options

#

CONFIG_USB_DEVICEFS=y

CONFIG_USB_BANDWIDTH=y

CONFIG_USB_DYNAMIC_MINORS=y

# CONFIG_USB_SUSPEND is not set

# CONFIG_USB_OTG is not set

#

# USB Host Controller Drivers

#

CONFIG_USB_EHCI_HCD=y

CONFIG_USB_EHCI_SPLIT_ISO=y

CONFIG_USB_EHCI_ROOT_HUB_TT=y

# CONFIG_USB_ISP116X_HCD is not set

CONFIG_USB_OHCI_HCD=y

# CONFIG_USB_OHCI_BIG_ENDIAN is not set

CONFIG_USB_OHCI_LITTLE_ENDIAN=y

# CONFIG_USB_UHCI_HCD is not set

# CONFIG_USB_SL811_HCD is not set

#

# USB Device Class drivers

#

# CONFIG_OBSOLETE_OSS_USB_DRIVER is not set

# CONFIG_USB_BLUETOOTH_TTY is not set

# CONFIG_USB_ACM is not set

# CONFIG_USB_PRINTER is not set

#

# NOTE: USB_STORAGE enables SCSI, and 'SCSI disk support' may also be needed; see USB_STORAGE Help for more information

#

CONFIG_USB_STORAGE=y

# CONFIG_USB_STORAGE_DEBUG is not set

# CONFIG_USB_STORAGE_DATAFAB is not set

# CONFIG_USB_STORAGE_FREECOM is not set

# CONFIG_USB_STORAGE_ISD200 is not set

# CONFIG_USB_STORAGE_DPCM is not set

# CONFIG_USB_STORAGE_USBAT is not set

# CONFIG_USB_STORAGE_SDDR09 is not set

# CONFIG_USB_STORAGE_SDDR55 is not set

# CONFIG_USB_STORAGE_JUMPSHOT is not set

#

# USB Input Devices

#

CONFIG_USB_HID=y

CONFIG_USB_HIDINPUT=y

# CONFIG_HID_FF is not set

CONFIG_USB_HIDDEV=y

# CONFIG_USB_AIPTEK is not set

# CONFIG_USB_WACOM is not set

# CONFIG_USB_ACECAD is not set

# CONFIG_USB_KBTAB is not set

# CONFIG_USB_POWERMATE is not set

# CONFIG_USB_MTOUCH is not set

# CONFIG_USB_ITMTOUCH is not set

# CONFIG_USB_EGALAX is not set

# CONFIG_USB_YEALINK is not set

# CONFIG_USB_XPAD is not set

# CONFIG_USB_ATI_REMOTE is not set

# CONFIG_USB_KEYSPAN_REMOTE is not set

# CONFIG_USB_APPLETOUCH is not set

#

# USB Imaging devices

#

# CONFIG_USB_MDC800 is not set

# CONFIG_USB_MICROTEK is not set

#

# USB Multimedia devices

#

# CONFIG_USB_DABUSB is not set

#

# Video4Linux support is needed for USB Multimedia device support

#

#

# USB Network Adapters

#

# CONFIG_USB_CATC is not set

# CONFIG_USB_KAWETH is not set

# CONFIG_USB_PEGASUS is not set

# CONFIG_USB_RTL8150 is not set

# CONFIG_USB_USBNET is not set

# CONFIG_USB_ZD1201 is not set

# CONFIG_USB_MON is not set

#

# USB port drivers

#

# CONFIG_USB_USS720 is not set

#

# USB Serial Converter support

#

# CONFIG_USB_SERIAL is not set

#

# USB Miscellaneous drivers

#

# CONFIG_USB_EMI62 is not set

# CONFIG_USB_EMI26 is not set

# CONFIG_USB_AUERSWALD is not set

# CONFIG_USB_RIO500 is not set

# CONFIG_USB_LEGOTOWER is not set

# CONFIG_USB_LCD is not set

# CONFIG_USB_LED is not set

# CONFIG_USB_CYTHERM is not set

# CONFIG_USB_PHIDGETKIT is not set

# CONFIG_USB_PHIDGETSERVO is not set

# CONFIG_USB_IDMOUSE is not set

# CONFIG_USB_SISUSBVGA is not set

# CONFIG_USB_LD is not set

# CONFIG_USB_TEST is not set

#

# USB DSL modem support

#

#

# USB Gadget Support

#

# CONFIG_USB_GADGET is not set

#

# MMC/SD Card support

#

# CONFIG_MMC is not set

#

# InfiniBand support

#

# CONFIG_INFINIBAND is not set

#

# SN Devices

#

#

# File systems

#

CONFIG_EXT2_FS=y

CONFIG_EXT2_FS_XATTR=y

CONFIG_EXT2_FS_POSIX_ACL=y

CONFIG_EXT2_FS_SECURITY=y

CONFIG_EXT2_FS_XIP=y

CONFIG_FS_XIP=y

CONFIG_EXT3_FS=y

CONFIG_EXT3_FS_XATTR=y

CONFIG_EXT3_FS_POSIX_ACL=y

CONFIG_EXT3_FS_SECURITY=y

CONFIG_JBD=y

# CONFIG_JBD_DEBUG is not set

CONFIG_FS_MBCACHE=y

# CONFIG_REISERFS_FS is not set

# CONFIG_JFS_FS is not set

CONFIG_FS_POSIX_ACL=y

# CONFIG_XFS_FS is not set

# CONFIG_MINIX_FS is not set

# CONFIG_ROMFS_FS is not set

CONFIG_INOTIFY=y

# CONFIG_QUOTA is not set

CONFIG_DNOTIFY=y

# CONFIG_AUTOFS_FS is not set

CONFIG_AUTOFS4_FS=y

# CONFIG_FUSE_FS is not set

#

# CD-ROM/DVD Filesystems

#

CONFIG_ISO9660_FS=y

CONFIG_JOLIET=y

# CONFIG_ZISOFS is not set

CONFIG_UDF_FS=y

CONFIG_UDF_NLS=y

#

# DOS/FAT/NT Filesystems

#

CONFIG_FAT_FS=y

# CONFIG_MSDOS_FS is not set

CONFIG_VFAT_FS=y

CONFIG_FAT_DEFAULT_CODEPAGE=437

CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"

CONFIG_NTFS_FS=y

CONFIG_NTFS_DEBUG=y

CONFIG_NTFS_RW=y

#

# Pseudo filesystems

#

CONFIG_PROC_FS=y

CONFIG_PROC_KCORE=y

CONFIG_SYSFS=y

CONFIG_TMPFS=y

# CONFIG_HUGETLBFS is not set

# CONFIG_HUGETLB_PAGE is not set

CONFIG_RAMFS=y

# CONFIG_RELAYFS_FS is not set

#

# Miscellaneous filesystems

#

# CONFIG_ADFS_FS is not set

# CONFIG_AFFS_FS is not set

# CONFIG_HFS_FS is not set

# CONFIG_HFSPLUS_FS is not set

# CONFIG_BEFS_FS is not set

# CONFIG_BFS_FS is not set

# CONFIG_EFS_FS is not set

# CONFIG_CRAMFS is not set

# CONFIG_SQUASHFS is not set

# CONFIG_VXFS_FS is not set

# CONFIG_HPFS_FS is not set

# CONFIG_QNX4FS_FS is not set

# CONFIG_SYSV_FS is not set

# CONFIG_UFS_FS is not set

#

# Network File Systems

#

# CONFIG_NFS_FS is not set

# CONFIG_NFSD is not set

CONFIG_SMB_FS=y

CONFIG_SMB_NLS_DEFAULT=y

CONFIG_SMB_NLS_REMOTE="cp437"

# CONFIG_CIFS is not set

# CONFIG_NCP_FS is not set

# CONFIG_CODA_FS is not set

# CONFIG_AFS_FS is not set

# CONFIG_9P_FS is not set

#

# Partition Types

#

# CONFIG_PARTITION_ADVANCED is not set

CONFIG_MSDOS_PARTITION=y

#

# Native Language Support

#

CONFIG_NLS=y

CONFIG_NLS_DEFAULT="iso8859-1"

CONFIG_NLS_CODEPAGE_437=y

CONFIG_NLS_CODEPAGE_737=y

# CONFIG_NLS_CODEPAGE_775 is not set

# CONFIG_NLS_CODEPAGE_850 is not set

# CONFIG_NLS_CODEPAGE_852 is not set

# CONFIG_NLS_CODEPAGE_855 is not set

# CONFIG_NLS_CODEPAGE_857 is not set

# CONFIG_NLS_CODEPAGE_860 is not set

# CONFIG_NLS_CODEPAGE_861 is not set

# CONFIG_NLS_CODEPAGE_862 is not set

CONFIG_NLS_CODEPAGE_863=y

# CONFIG_NLS_CODEPAGE_864 is not set

# CONFIG_NLS_CODEPAGE_865 is not set

# CONFIG_NLS_CODEPAGE_866 is not set

CONFIG_NLS_CODEPAGE_869=y

# CONFIG_NLS_CODEPAGE_936 is not set

# CONFIG_NLS_CODEPAGE_950 is not set

# CONFIG_NLS_CODEPAGE_932 is not set

# CONFIG_NLS_CODEPAGE_949 is not set

# CONFIG_NLS_CODEPAGE_874 is not set

# CONFIG_NLS_ISO8859_8 is not set

# CONFIG_NLS_CODEPAGE_1250 is not set

# CONFIG_NLS_CODEPAGE_1251 is not set

# CONFIG_NLS_ASCII is not set

CONFIG_NLS_ISO8859_1=y

# CONFIG_NLS_ISO8859_2 is not set

# CONFIG_NLS_ISO8859_3 is not set

# CONFIG_NLS_ISO8859_4 is not set

# CONFIG_NLS_ISO8859_5 is not set

# CONFIG_NLS_ISO8859_6 is not set

CONFIG_NLS_ISO8859_7=y

# CONFIG_NLS_ISO8859_9 is not set

# CONFIG_NLS_ISO8859_13 is not set

# CONFIG_NLS_ISO8859_14 is not set

# CONFIG_NLS_ISO8859_15 is not set

# CONFIG_NLS_KOI8_R is not set

# CONFIG_NLS_KOI8_U is not set

CONFIG_NLS_UTF8=y

#

# Profiling support

#

CONFIG_PROFILING=y

CONFIG_OPROFILE=y

#

# Kernel hacking

#

# CONFIG_PRINTK_TIME is not set

# CONFIG_DEBUG_KERNEL is not set

CONFIG_LOG_BUF_SHIFT=14

CONFIG_DEBUG_BUGVERBOSE=y

CONFIG_EARLY_PRINTK=y

#

# Security options

#

#

# PaX

#

# CONFIG_PAX is not set

#

# Grsecurity

#

# CONFIG_GRKERNSEC is not set

# CONFIG_KEYS is not set

# CONFIG_SECURITY is not set

#

# Cryptographic options

#

CONFIG_CRYPTO=y

# CONFIG_CRYPTO_HMAC is not set

# CONFIG_CRYPTO_NULL is not set

# CONFIG_CRYPTO_MD4 is not set

# CONFIG_CRYPTO_MD5 is not set

# CONFIG_CRYPTO_SHA1 is not set

# CONFIG_CRYPTO_SHA256 is not set

# CONFIG_CRYPTO_SHA512 is not set

# CONFIG_CRYPTO_WP512 is not set

# CONFIG_CRYPTO_TGR192 is not set

# CONFIG_CRYPTO_DES is not set

# CONFIG_CRYPTO_BLOWFISH is not set

# CONFIG_CRYPTO_TWOFISH is not set

# CONFIG_CRYPTO_SERPENT is not set

CONFIG_CRYPTO_AES=y

# CONFIG_CRYPTO_AES_586 is not set

# CONFIG_CRYPTO_CAST5 is not set

# CONFIG_CRYPTO_CAST6 is not set

# CONFIG_CRYPTO_TEA is not set

CONFIG_CRYPTO_ARC4=y

# CONFIG_CRYPTO_KHAZAD is not set

# CONFIG_CRYPTO_ANUBIS is not set

# CONFIG_CRYPTO_DEFLATE is not set

CONFIG_CRYPTO_MICHAEL_MIC=y

# CONFIG_CRYPTO_CRC32C is not set

# CONFIG_CRYPTO_TEST is not set

#

# Hardware crypto devices

#

# CONFIG_CRYPTO_DEV_PADLOCK is not set

#

# Library routines

#

CONFIG_CRC_CCITT=y

# CONFIG_CRC16 is not set

CONFIG_CRC32=y

CONFIG_LIBCRC32C=m

CONFIG_ZLIB_INFLATE=y

CONFIG_ZLIB_DEFLATE=y

CONFIG_TEXTSEARCH=y

CONFIG_TEXTSEARCH_KMP=y

CONFIG_TEXTSEARCH_BM=y

CONFIG_TEXTSEARCH_FSM=y

CONFIG_GENERIC_HARDIRQS=y

CONFIG_GENERIC_IRQ_PROBE=y

CONFIG_X86_BIOS_REBOOT=y

CONFIG_PC=y

```

----------

## brain salad surgery

Also, let's have a look to the shorewall configs

(i have ppp0 for the adsl outside interface, eth1 and wlan1 as

2 internal interfaces)

shorewall.conf  : 

```
###############################################################################

#  /etc/shorewall/shorewall.conf V3.2 - Change the following variables to

#  match your setup

#

#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]

#

#  This file should be placed in /etc/shorewall

#

#  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)

#

#      >>>>>>>>>>>>> NOTE TO USERS UPGRADING FROM 2.x <<<<<<<<<<<<<<<<<<

#

#  Most problems associated with upgrades come from two causes:

#

#   - The user didn't read and follow the migration considerations in the

#     release notes.

#

#   - The user mis-handled the /etc/shorewall/shorewall.conf file during

#     upgrade. Shorewall is designed to allow the default behavior of

#     the product to evolve over time. To make this possible, the design

#     assumes that you will not replace your current shorewall.conf file

#     during upgrades. If you feel absolutely compelled to have the latest

#     comments and options in your shorewall.conf then you must proceed

#     carefully.

#

#     The new/changed options in shorewall 3.0 are listed below. If you don't

#     want to convert to the new 3.0 format for /etc/shorewall/zones and you

#     don't want to replace your current rules that use 2.x builtin actions,

#     then if you plan to use this copy of shorewall.conf file then you must

#     change it as follows:

#

#     - IPSECFILE

#

#   This file has IPSECFILE=zones. You want to set it to IPSECFILE=ipsec.

#   This will indicate that your /etc/shorewall/zones file is in the

#   pre-3.0 format.

#

#     - FW

#

#   This file has FW undefined. If you have named your firewall zone

#   something other than 'fw' then you must set FW accordingly.

#

#     - MAPOLDACTIONS

#

#   This file has MAPOLDACTIONS=No. You want to set it to

#       MAPOLDACTIONS=Yes in order to permit rules that use the 2.x builtin

#       actions such as AllowPing to continue to work.

###############################################################################

#             S T A R T U P   E N A B L E D

###############################################################################

#

# Once you have configured Shorewall, you may change the setting of

# this variable to 'Yes'

#

STARTUP_ENABLED=Yes

###############################################################################

#                    V E R B O S I T Y

###############################################################################

#

# Shorewall has traditionally been very noisy. You may now set the default

# level of verbosity here.

#

# Values are:

#

#         0 -- Silent. You may make it more verbose using the -v option

#         1 -- Major progress messages displayed

#         2 -- All progress messages displayed (old default behavior)

#

# If not specified, then 2 is assumed

VERBOSITY=1

###############################################################################

#                L O G G I N G

###############################################################################

#

# General note about log levels. Log levels are a method of describing

# to syslog (8) the importance of a message and a number of parameters

# in this file have log levels as their value.

#

# These levels are defined by syslog and are used to determine the destination

# of the messages through entries in /etc/syslog.conf (5). The syslog

# documentation refers to these as "priorities"; Netfilter calls them "levels"

# and Shorewall also uses that term.

#

# Valid levels are:

#

#   7   debug

#   6   info

#   5   notice

#   4   warning

#   3   err

#   2   crit

#   1   alert

#   0   emerg

#

# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall

# log messages are generated by NetFilter and are logged using facility

# 'kern' and the level that you specifify. If you are unsure of the level

# to choose, 6 (info) is a safe bet. You may specify levels by name or by

# number.

#

# If you have built your kernel with ULOG target support, you may also

# specify a log level of ULOG (must be all caps). Rather than log its

# messages to syslogd, Shorewall will direct netfilter to log the messages

# via the ULOG target which will send them to a process called 'ulogd'.

# ulogd is available with most Linux distributions (although it probably isn't

# installed by default). Ulogd is also available from

# http://www.gnumonks.org/projects/ulogd and can be configured to log all

# Shorewall message to their own log file

###############################################################################

#

# LOG FILE LOCATION

#

# This variable tells the /sbin/shorewall program where to look for Shorewall

# log messages. If not set or set to an empty string (e.g., LOGFILE="") then

# /var/log/messages is assumed.

#

# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to

#      look for Shorewall messages.It does NOT control the destination for

#      these messages. For information about how to do that, see

#

#          http://www.shorewall.net/shorewall_logging.html

#

LOGFILE=/var/log/shorewall.log

#

# LOG FORMAT

#

# Shell 'printf' Formatting template for the --log-prefix value in log messages

# generated by Shorewall to identify Shorewall log messages. The supplied

# template is expected to accept either two or three arguments; the first is

# the chain name, the second (optional) is the logging rule number within that

# chain and the third is the ACTION specifying the disposition of the packet

# being logged. You must use the %d formatting type for the rule number; if

# your template does not contain %d then the rule number will not be included.

#

# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:

#

#   LOGFORMAT="fp=%s:%d a=%s "

#

# If not specified or specified as empty (LOGFORMAT="") then the value

# "Shorewall:%s:%s:" is assumed.

#

# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up

# to but not including the first '%') to find log messages in the 'show log',

# 'status' and 'hits' commands. This part should not be omitted (the

# LOGFORMAT should not begin with "%") and the leading part should be

# sufficiently unique for /sbin/shorewall to identify Shorewall messages.

#

LOGFORMAT="Shorewall:%s:%s:"

#

# LOG FORMAT Continued

#

# Using the default LOGFORMAT, chain names may not exceed 11 characters or

# truncation of the log prefix may occur. Longer chain names may be used with

# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is

# specified then the tag is included in the log prefix in place of the chain

# name.

#

LOGTAGONLY=No

#

# LOG RATE LIMITING

#

# The next two variables can be used to control the amount of log output

# generated. LOGRATE is expressed as a number followed by an optional

# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum

# rate at which a particular message will occur. LOGBURST determines the

# maximum initial burst size that will be logged. If set empty, the default

# value of 5 will be used.

#

# If BOTH variables are set empty then logging will not be rate-limited.

#

# Example:

#

#   LOGRATE=10/minute

#   LOGBURST=5

#

# For each logging rule, the first time the rule is reached, the packet

# will be logged; in fact, since the burst is 5, the first five packets

# will be logged. After this, it will be 6 seconds (1 minute divided by

# the rate of 10) before a message will be logged from the rule, regardless

# of how many packets reach it. Also, every 6 seconds which passes without

# matching a packet, one of the bursts will be regained; if no packets hit

# the rule for 30 seconds, the burst will be fully recharged; back where

# we started.

#

LOGRATE=

LOGBURST=

#

# LOG ALL NEW

#

# This option should only be used when you are trying to analyze a problem.

# It causes all packets in the Netfilter NEW state to be logged as the

# first rule in each builtin chain. To use this option, set LOGALLNEW to

# the log level that you want these packets logged at (e.g.,

# LOGALLNEW=debug).

#

LOGALLNEW=

#

# BLACKLIST LOG LEVEL

#

# Set this variable to the syslogd level that you want blacklist packets logged

# (beware of DOS attacks resulting from such logging). If not set, no logging

# of blacklist packets occurs.

#

# See the comment at the top of this section for a description of log levels

#

BLACKLIST_LOGLEVEL=

#

# MAC List Log Level

#

# Specifies the logging level for connection requests that fail MAC

# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then

# such connection requests will not be logged.

#

# See the comment at the top of this section for a description of log levels

#

MACLIST_LOG_LEVEL=info

#

# TCP FLAGS Log Level

#

# Specifies the logging level for packets that fail TCP Flags

# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then

# such packets will not be logged.

#

# See the comment at the top of this section for a description of log levels

#

TCP_FLAGS_LOG_LEVEL=info

#

# RFC1918 Log Level

#

# Specifies the logging level for packets that fail RFC 1918

# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then

# RFC1918_LOG_LEVEL=info is assumed.

#

# See the comment at the top of this section for a description of log levels

#

RFC1918_LOG_LEVEL=info

#

# SMURF Log Level

#

# Specifies the logging level for smurf packets dropped by the

#'nosmurfs' interface option in /etc/shorewall/interfaces and in

# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""

# ) then dropped smurfs are not logged.

#

# See the comment at the top of this section for a description of log levels

#

SMURF_LOG_LEVEL=info

#

# MARTIAN LOGGING

#

# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets

# that have impossible source IP addresses. This logging may be enabled

# on individual interfaces by using the 'logmartians' option in

# /etc/shorewall/interfaces.

#

LOG_MARTIANS=No

###############################################################################

#   L O C A T I O N     O F   F I L E S   A N D   D I R E C T O R I E S

###############################################################################

#

# IPTABLES

#

# Full path to iptables executable Shorewall uses to build the firewall. If

# not specified or if specified with an empty value (e.g., IPTABLES="") then

# the iptables executable located via the PATH setting below is used.

#

IPTABLES=

#

# PATH - Change this if you want to change the order in which Shorewall

#    searches directories for executable files.

#

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

#

# SHELL

#

# The firewall script is normally interpreted by /bin/sh. If you wish to change

# the shell used to interpret that script, specify the shell here.

#

SHOREWALL_SHELL=/bin/sh

# SUBSYSTEM LOCK FILE

#

# Set this to the name of the lock file expected by your init scripts. For

# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't

# use lock files, set this to "".

#

SUBSYSLOCK=/var/lock/subsys/shorewall

#

# KERNEL MODULE DIRECTORY

#

# If your netfilter kernel modules are in a directory other than

# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that

# directory in this variable. Example: MODULESDIR=/etc/modules.

#

MODULESDIR=

#

# CONFIGURATION SEARCH PATH

#

# This option holds a list of directory names separated by colons

# (":"). Shorewall will search each directory in turn when looking for a

# configuration file. When processing a 'try' command or a command

# containing the "-c" option or that specifies a configuration directory,

# Shorewall will automatically add the directory specified in the command

# to the front of this list.

#

# If not specified or specified as null ("CONFIG_PATH=""),

# the default is distribution-defined. See the output of "shorewall show

# config" to find the default value on your distribution.

#

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

#

# RESTORE SCRIPT

#

# This option determines the script to be run in the following cases:

#

#   shorewall -f start

#   shorewall restore

#   shorewall save

#   shorewall forget

#   Failure of shorewall start or shorewall restart

#

# The value of the option must be the name of an executable file in the

# directory /var/lib/shorewall. If this option is not set or if it is

# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is

# assumed.

#

RESTOREFILE=

#

# OLD ZONE FILE FORMAT

#

# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.

# Beginning with 2.5.0, those files were combined. For users who haven't

# converted, we offer this variable that sets the name of the file for ipsec

# information. This option must take the value "zones" or "ipsec". If the

# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"

# is assumed.

#

IPSECFILE=zones

###############################################################################

#         F I R E W A L L     O P T I O N S

###############################################################################

#

#  WARNING: THE 'FW' OPTION HAS BEEN REMOVED FROM THIS FILE -- The firewall

#           zone is now declared in /etc/shorewall/zones.

#

#

# ENABLE IP FORWARDING

#

# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you

# say "Off" or "off", packet forwarding will be disabled. You would only want

# to disable packet forwarding if you are installing Shorewall on a

# standalone system or if you want all traffic through the Shorewall system

# to be handled by proxies.

#

# If you set this variable to "Keep" or "keep", Shorewall will neither

# enable nor disable packet forwarding.

#

IP_FORWARDING=On

#

# AUTOMATICALLY ADD NAT IP ADDRESSES

#

# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses

# for each NAT external address that you give in /etc/shorewall/nat. If you say

# "No" or "no", you must add these aliases youself.

#

# WARNING: Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added

# during processing of the "shorewall restart" command. As a consequence,

# connections using those addresses may be severed.

#

ADD_IP_ALIASES=Yes

#

# AUTOMATICALLY ADD SNAT IP ADDRESSES

#

# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses

# for each SNAT external address that you give in /etc/shorewall/masq. If you

# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"

# unless you are sure that you need it -- most people don't!!!

#

# WARNING: Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added

# during processing of the "shorewall restart" command. As a consequence,

# connections using those addresses may be severed.

#

ADD_SNAT_ALIASES=No

#

# RETAIN EXISTING ALIASES/IP ADDRESSES

#

# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall

# will first delete the address then re-add it. This is to ensure that the

# address is added with the specified label. Unfortunately, this can cause

# problems if it results in the deletion of the last IP address on an

# interface because then all routes through the interface are automatically

# removed.

#

# You can cause Shorewall to retain existing addresses by setting

# RETAIN_ALIASES=Yes.

#

RETAIN_ALIASES=No

#

# ENABLE TRAFFIC SHAPING

#

# If you say "Yes" or "yes" here, Shorewall will use a script that you

# supply to configure traffic shaping. The script must be named 'tcstart'

# and must be placed in a directory on your CONFIG_PATH.

#

# If you say "No" or "no" then traffic shaping is not enabled.

#

# If you set TC_ENABLED=Internal or internal or leave the option empty then

# Shorewall will use its builtin traffic shaper (tc4shorewall written by

# Arne Bernin).

#

# See http://shorewall.net/traffic_shaping.htm for more information.

TC_ENABLED=Internal

 

#

# TRAFFIC SHAPING EXPERT

#

# Normally, Shorewall tries to protect users from themselves by preventing

# PREROUTING and OUTPUT tcrules from being applied to packets that have

# been marked by the 'track' option in /etc/shorewall/providers.

#

# If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall

# will not include these cautionary checks.

TC_EXPERT=No

#

# Clear Traffic Shaping/Control

#

# If this option is set to 'No' then Shorewall won't clear the current

# traffic control rules during [re]start. This setting is intended

# for use by people that prefer to configure traffic shaping when

# the network interfaces come up rather than when the firewall

# is started. If that is what you want to do, set TC_ENABLED=No and

# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That

# way, your traffic shaping rules can still use the 'fwmark'

# classifier based on packet marking defined in /etc/shorewall/tcrules.

#

# If omitted, CLEAR_TC=Yes is assumed.

#

CLEAR_TC=Yes

#

# Mark Packets in the forward chain

#

# When processing the tcrules file, Shorewall normally marks packets in the

# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set

# this to "Yes". If not specified or if set to the empty value (e.g.,

# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.

#

# Marking packets in the FORWARD chain has the advantage that inbound

# packets destined for Masqueraded/SNATed local hosts have had their

# destination address rewritten so they can be marked based on their

# destination. When packets are marked in the PREROUTING chain, packets

# destined for Masqueraded/SNATed local hosts still have a destination address

# corresponding to the firewall's external interface.

#

# Note: Older kernels do not support marking packets in the FORWARD chain and

#   setting this variable to Yes may cause startup problems.

#

MARK_IN_FORWARD_CHAIN=No

#

# MSS CLAMPING

#

# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"

# option. This option is most commonly required when your internet

# interface is some variant of PPP (PPTP or PPPoE). Your kernel must

# have CONFIG_IP_NF_TARGET_TCPMSS set.

#

# [From the kernel help:

#

#    This option adds a `TCPMSS' target, which allows you to alter the

#    MSS value of TCP SYN packets, to control the maximum size for that

#    connection (usually limiting it to your outgoing interface's MTU

#    minus 40).

#

#    This is used to overcome criminally braindead ISPs or servers which

#    block ICMP Fragmentation Needed packets.  The symptoms of this

#    problem are that everything works fine from your Linux

#    firewall/router, but machines behind it can never exchange large

#    packets:

#    1) Web browsers connect, then hang with no data received.

#    2) Small mail works fine, but large emails hang.

#    3) ssh works fine, but scp hangs after initial handshaking.

# ]

#

# If left blank, or set to "No" or "no", the option is not enabled.

#

# You may also set this option to a numeric value in which case Shorewall will

# set up a rule to modify the MSS value in SYN packets to the value that

# you specify.

#

# Example:

#

#   CLAMPMSS=1400

#

CLAMPMSS=No

#

# ROUTE FILTERING

#

# Set this variable to "Yes" or "yes" if you want kernel route filtering on all

# interfaces started while Shorewall is started (anti-spoofing measure).

#

# If this variable is not set or is set to the empty value, "No" is assumed.

# Regardless of the setting of ROUTE_FILTER, you can still enable route

# filtering on individual interfaces using the 'routefilter' option in the

# /etc/shorewall/interfaces file.

#

ROUTE_FILTER=No

#

# DNAT IP ADDRESS DETECTION

#

# Normally when Shorewall encounters the following rule:

#

#   DNAT   net   loc:192.168.1.3   tcp   80

#

# it will forward TCP port 80 connections from the net to 192.168.1.3

# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is

# convenient for two reasons:

#

#   a) If the the network interface has a dynamic IP address, the

#      firewall configuration will work even when the address

#      changes.

#

#   b) It saves having to configure the IP address in the rule

#      while still allowing the firewall to be started before the

#      internet interface is brought up.

#

# This default behavior can also have a negative effect. If the

# internet interface has more than one IP address then the above

# rule will forward connection requests on all of these addresses;

# that may not be what is desired.

#

# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply

# only if the original destination address is the primary IP address of

# one of the interfaces associated with the source zone. Note that this

# requires all interfaces to the source zone to be up when the firewall

# is [re]started.

#

DETECT_DNAT_IPADDRS=No

#

# MUTEX TIMEOUT

#

# The value of this variable determines the number of seconds that programs

# will wait for exclusive access to the Shorewall lock file. After the number

# of seconds corresponding to the value of this variable, programs will assume

# that the last program to hold the lock died without releasing the lock.

#

# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.

#

# An appropriate value for this parameter would be twice the length of time

# that it takes your firewall system to process a "shorewall restart" command.

#

MUTEX_TIMEOUT=60

#

# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT

#

# Normally, when a "shorewall stop" command is issued or an error occurs during

# the execution of another shorewall command, Shorewall puts the firewall into

# a state where only traffic to/from the hosts listed in

# /etc/shorewall/routestopped is accepted.

#

# When performing remote administration on a Shorewall firewall, it is

# therefore recommended that the IP address of the computer being used for

# administration be added to the firewall's /etc/shorewall/routestopped file.

#

# Some administrators have a hard time remembering to do this with the result

# that they get to drive across town in the middle of the night to restart

# a remote firewall (or worse, they have to get someone out of bed to drive

# across town to restart a very remote firewall).

#

# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this

# setting, when the firewall enters the 'stopped' state:

#

# All traffic that is part of or related to established connections is still

# allowed and all OUTPUT traffic is allowed. This is in addition to traffic

# to and from hosts listed in /etc/shorewall/routestopped.

#

# If this variable is not set or it is set to the null value then

# ADMINISABSENTMINDED=No is assumed.

#

ADMINISABSENTMINDED=Yes

#

# BLACKLIST Behavior

#

# Shorewall offers two types of blacklisting:

#

#   - static blacklisting through the /etc/shorewall/blacklist file

#     together with the 'blacklist' interface option.

#   - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.

#

# The following variable determines whether the blacklist is checked for each

# packet or for each new connection.

#

#   BLACKLISTNEWONLY=Yes   Only consult blacklists for new connection

#            requests

#

#   BLACKLISTNEWONLY=No   Consult blacklists for all packets.

#

# If the BLACKLISTNEWONLY option is not set or is set to the empty value then

# BLACKLISTNEWONLY=No is assumed.

#

BLACKLISTNEWONLY=Yes

#

# Users with a large blacklist find that "shorwall [re]start" takes a long

# time and that new connections are disabled during that time. By setting

# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections

# before loading the blacklist.

#

DELAYBLACKLISTLOAD=No

# MODULE NAME SUFFIX

#

# When loading a module named in /etc/shorewall/modules, Shorewall normally

# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names

# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a

# different naming convention then you can specify the suffix (extension) for

# module names in this variable.

#

# To see what suffix is used by your distribution:

#

#     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter

#

# All of the file names listed should have the same suffix (extension). Set

# MODULE_SUFFIX to that suffix.

#

# Examples:

#

#   If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"

#   If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"

#

MODULE_SUFFIX=

#

# DISABLE IPV6

#

# Distributions (notably SUSE) are beginning to ship with IPV6

# enabled. If you are not using IPV6, you are at risk of being

# exploited by users who do. Setting DISABLE_IPV6=Yes will cause

# Shorewall to disable IPV6 traffic to/from and through your

# firewall system. This requires that you have ip6tables installed.

DISABLE_IPV6=Yes

#

# BRIDGING

#

# If you wish to restrict connections through a bridge

# (see http://bridge.sf.net), then set BRIDGING=Yes. Your kernel must have

# the physdev match option enabled; that option is available at the above URL

# for 2.4 kernels and is included as a standard part of the 2.6 series

# kernels. If not specified or specified as empty (BRIDGING="") then "No" is

# assumed.

#

BRIDGING=No

#

# DYNAMIC ZONES

#

# If you need to be able to add and delete hosts from zones dynamically then

# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.

DYNAMIC_ZONES=No

#

# USE PKTTYPE MATCH

#

# Some users have reported problems with the PKTTYPE match extension not being

# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall

# will use IP addresses to detect broadcasts rather than pkttype. If not given

# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.

#

PKTTYPE=Yes

#

# RFC 1918 BEHAVIOR

#

# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'

# processing to cease for a packet if the packet's source IP address matches

# the rule. Thus, if you have:

#

#   SUBNETS         TARGET

#   192.168.1.0/24      RETURN

#

# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you

# also have:

#

#   SUBNETS         TARGET

#   10.0.0.0/8      logdrop

#

# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped

# since while the packet's source matches the RETURN rule, the packet's

# destination matches the 'logdrop' rule.

#

# If not specified or specified as empty (e.g., RFC1918_STRICT="") then

# RFC1918_STRICT=No is assumed.

#

# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support

#      'conntrack state' match.

#

RFC1918_STRICT=No

#

# MAC List Table

#

# Normally, MAC verification occurs in the filter table (INPUT and FORWARD)

# chains. When forwarding a packet from an interface with MAC verification

# to a bridge interface, that doesn't work.

#

# This problem can be worked around by setting MACLIST_TABLE=mangle which

# will cause Mac verification to occur out of the PREROUTING chain. Because

# REJECT isn't available in that environment, you may not specify

# MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle.

MACLIST_TABLE=filter

#

# MACLIST caching

#

# If your iptables and kernel support the "Recent Match" (see the output of

# "shorewall check" near the top), you can cache the results of a 'maclist'

# file lookup and thus reduce the overhead associated with MAC Verification

# (/etc/shorewall/maclist).

#

# When a new connection arrives from a 'maclist' interface, the packet passes

# through the list of entries for that interface in /etc/shorewall/maclist. If

# there is a match then the source IP address is added to the 'Recent' set for

# that interface. Subsequent connection attempts from that IP address occuring

# within $MACLIST_TTL seconds will be accepted without having to scan all of

# the entries. After $MACLIST_TTL from the first accepted connection request,

# the next connection request from that IP address will be checked against

# the entire list.

#

# If MACLIST_TTL is not specified or is specified as empty (e.g,

# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not

# be cached.

#

MACLIST_TTL=

#

# Save/Restore IPSETS

#

# If SAVE_IPSETS=Yes then Shorewall will:

#

#   Restore the last saved ipset contents during "shorewall [re]start"

#   Save the current ipset contents during "shorewall save"

#

#   Regardless of the setting of SAVE_IPSETS, if ipset contents were

#   saved during a "shorewall save" then they will be restored during

#   a subsequent "shorewall restore".

#

SAVE_IPSETS=No

#

# Map Old Actions

#

# Previously, Shorewall included a large number of standard actions (AllowPing,

# AllowFTP, ...). These have been replaced with parameterized macros. For

# compatibility, Shorewall can map the old names into invocations of the new

# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to

# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed

#

MAPOLDACTIONS=No

#

# Fast ESTABLISHED/RELATED handling

#

# Normally, Shorewall delays accepting ESTABLISHED/RELATED packets until these

# packets reach the chain in which the original connection was accepted. So

# for packets going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED

# packets are ACCEPTED in the 'loc2net' chain.

#

# If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted

# early in the INPUT, FORWARD and OUTPUT chains. If you set

# FASTACCEPT=Yes then you may not include rules in the ESTABLISHED and

# RELATED sections of the rules file.

FASTACCEPT=No

#

# Implicit CONTINUE policy for sub-zones

#

# When a zone is declared to be a subzone of one or more other zones, it

# is typically the case that you want the rules for the parent zone(s) to

# be applied to connections to/from the subzone that don't match any

# subzone specific rules. That way, you don't have to duplicate the parent

# zone's rules in order for them to also apply to the subzone(s). That is

# the behavior with IMPLICIT_CONTINUE=Yes. If you don't want that behavior

# and want the policies for the sub-zone to be determined by the standard

# policy processing, set IMPLICIT_CONTINUE=No or IMPLICIT_CONTINUE=.

#

# Note that even with IMPLICIT_CONTINUE=Yes, you can override the implicit

# CONTINUE policy by adding an explicit policy (one that does not contain

# "all" in either the SOURCE or DEST columns).

IMPLICIT_CONTINUE=Yes

#

# Use high mark values for policy routing

#

# Normally, Shorewall restricts the set of mark values to 1-255. If you set

# HIGH_ROUTE_MARKS=Yes, Shorewall will rather restrict the set of routing

# mark values (those specified in the /etc/shorewall/providers file) to

# a multiple of 256 (256 to 65280) or their hexadecimal equivalents

# (0x0100 to 0xff00, with the low-order byte of the value being zero).

# This allows connection marks to be shared between traffic shaping and

# policy routing. Traffic shaping marks are always restricted to 1-255.

#

# Setting HIGH_ROUTE_MARKS=Yes requires that your kernel and iptables support

# both the extended CONNMARK target and the extended connmark match

# capabilities (see the output of "shorewall show capabilities").

HIGH_ROUTE_MARKS=No

###############################################################################

#         P A C K E T   D I S P O S I T I O N

###############################################################################

#

# BLACKLIST DISPOSITION

#

# Set this variable to the action that you want to perform on packets from

# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,

# DROP is assumed.

#

BLACKLIST_DISPOSITION=DROP

#

# MAC List Disposition

#

# This variable determines the disposition of connection requests arriving

# on interfaces that have the 'maclist' option and that are from a device

# that is not listed for that interface in /etc/shorewall/maclist. Valid

# values are ACCEPT, DROP and REJECT. If not specified or specified as

# empty (MACLIST_DISPOSITION="") then REJECT is assumed

#

MACLIST_DISPOSITION=REJECT

#

# TCP FLAGS Disposition

#

# This variable determins the disposition of packets having an invalid

# combination of TCP flags that are received on interfaces having the

# 'tcpflags' option specified in /etc/shorewall/interfaces or in

# /etc/shorewall/hosts. If not specified or specified as empty

# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.

#

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE

```

zones  :

```
###############################################################################

#ZONE   TYPE      OPTIONS      IN         OUT

#               OPTIONS         OPTIONS

fw   firewall

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

net       ipv4

blist:net ipv4      

loc       ipv4

nous:loc  ipv4

xtra:loc  ipv4

xtra2     ipv4
```

policy :

```
###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

#LAST LINE -- DO NOT REMOVE

$FW             all             ACCEPT

loc             net             ACCEPT    

loc             xtra2           ACCEPT

xtra2           net             ACCEPT

xtra2           loc             ACCEPT

net             all             DROP            info

all             all             REJECT          info
```

interfaces :

```
###############################################################################

#ZONE   INTERFACE   BROADCAST   OPTIONS

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

net       ppp0              -           norfc1918,nosmurfs

loc       eth1          10.10.10.255    dhcp,nosmurfs

xtra2     wlan1         10.10.11.255    dhcp,nosmurfs
```

rules :

```

#############################################################################################################

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/

#                                               PORT(S) PORT(S)         DEST            LIMIT           GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#

# Ping

ACCEPT  loc   $FW  icmp

ACCEPT  xtra2 $FW  icmp

#

# ssh

ACCEPT  loc   $FW  tcp   23

ACCEPT  xtra2 $FW  tcp   23    -    -   3/sec:5

ACCEPT  net   $FW  tcp   23    -    -   3/sec:5

DNAT    net   loc:10.10.10.3  tcp  22  

#

# http

DNAT    net   loc:10.10.10.3  tcp   80   -    -   10/sec:10

#

# dns

ACCEPT  loc   $FW  tcp   53

ACCEPT  loc   $FW  udp   53

ACCEPT  xtra2 $FW  tcp   53

ACCEPT  xtra2 $FW  udp   53

#

# p2p 

#

DNAT   net   loc:10.10.10.3   tcp  1214,2234,4444,6419

DNAT   net   loc:10.10.10.3   udp  4444,6429

DNAT   net   loc:10.10.10.3   tcp  4661:4672

DNAT   net   loc:10.10.10.3   udp  4661:4672

DNAT   net   loc:10.10.10.3   tcp  6346:6348

DNAT   net   loc:10.10.10.3   udp  6346:6348

DNAT   net   loc:10.10.10.3   tcp  6881:6889

DNAT   net   loc:10.10.10.9   tcp  14977

#

# autres

DNAT     net   loc:10.10.10.3   tcp  8080

DNAT     net   loc:10.10.10.3   tcp  9999

#

# robots (blacklist)

DROP     blist  $FW  tcp  21,22,113,80,443

```

hosts  :

```
###############################################################################

#ZONE   HOST(S)                                 OPTIONS

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

nous    eth1:10.10.10.2-10.10.10.10

xtra    eth1:10.10.10.100-10.10.10.105

blist   ppp0:221.208.160.11,61.178.127.182

```

----------

## brain salad surgery

any networking freak could help ???    :Wink: 

----------

## boniek

Try enabling:

Networking -> Networking options -> IP: advanced router

Networking -> Networking options -> IP: policy router (this will show itself after enabling previous one)

Recompile kernel and use it to boot your system.

----------

## brain salad surgery

i think it's more in the QoS part...

i have a friend who had this to work without 

what you say to enable...

the thing is that he's using 2.6.18

and that the network part has changed

a lot.  I cannot upgrade to that version

because of that hostap driver problem.

he told me that he had problems also

finding out the right things to enable 

and not to enable in the QOS section.

----------

## Casshan

http://gentoo-wiki.com/HOWTO_Packet_Shaping

This might help you with the kernel config stuff

----------

