# Shorewall setup questions.[SOLVED]

## p3nguin

I left all config files as is, I havent added any rules or policys yet, but when i do a 

```
shorewall start
```

  i get 

```
LOGFILE (/var/log/messages) does not exist!
```

I was just wondering if that means it didnt start it or not because I did a port scan both before and after executing from that site that someone mentioned here in the TEST YOUR SECURITY thread.....It was identical to before starting the firewall.  So im just not sure if it started or if i just need to add more rules.Last edited by p3nguin on Tue Sep 16, 2003 5:59 am; edited 1 time in total

----------

## p3nguin

well i simply created the file, and now it started...except i get some error, can sum1 help me out plz?  thanks

```
root@gat3way two-interfaces # shorewall restart

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Shorewall Not Currently Running

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Not available

   Multi-port Match: Not available

   Connection Tracking Match: Not available

Determining Zones...

   Zones: net loc

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

   Local Zone: eth1:0.0.0.0/0

Processing /etc/shorewall/init ...

Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

Processing /etc/shorewall/stopped ...

Terminated

```

found the kernel modules it was looking for and am recompiling at the moment, hopefully that takes care of everything!

quesiton, how do i forward the port for ssh?

----------

## p3nguin

damn recompiling takes so long on a 300mhz....for some reason, even though i did shorewall reset and shorewall clear....the internet went out on all the machines....mirc was still up but internet,ping and aim went out on everyones box.

----------

## p3nguin

```
root@gat3way two-interfaces # shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Connection Tracking Match: Available

Determining Zones...

   Zones: net loc

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   Net Zone: eth0:0.0.0.0/0

   Local Zone: eth1:0.0.0.0/0

Processing /etc/shorewall/init ...

Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

Processing /etc/shorewall/stopped ...

Terminated 
```

So now it finds all of the netfilter capabities are now available but for some reason i still get:

```
Deleting user chains...

iptables: No chain/target/match by that name

Processing /etc/shorewall/stop ...

Processing /etc/shorewall/stopped ...

Terminated
```

why do i get these messages?

----------

## p3nguin

checked with the faq and that particular message is supposed to mean that i dont have one of the netfilter modules built into my kernel, well I do, i have it *'d.  Im wondering if its supposed to be "m'd" instead and would that make a difference?

----------

## piggie

As long as either its compiled in, or the module is running it should work fine.

----------

## fergus

I had that same error before.. you are missing a module in your netfilter kernel configuration.  start up shorewall in debug mode ( i forget how right now ) and you can look through your log and find out what you are missing. 

--

fergus

----------

## Chickpea

Also, what kernel are you using?  I had problems with Gentoo-sources and no matter what I did, I was not able to get shorewall to work.  I was able to get it to work with ck-sources and have not had any problems....

----------

## p3nguin

yup, im using the gentoo kernel as well.  hmm, maybe ill try shorewall.net and ask the author if there is some reason that my kernel would be incompatible with his firewall.

----------

## Chickpea

Well, it is probably the patches that are applied to the kernel.  You should really send a bug report to bugs.gentoo.org

I am not sure that shorewall author would be able to help you as I am sure he is using a vanilla kernel....no patches applied

----------

## ronmon

I have one machine running shorewall with a 2.4.19-gentoo-r9 kernel. No problems at all. I know it's kind of an old kernel, but it's a headless router box that I hesitate to mess with when everything is working smoothly.

Except for NAT of local connections, ipchains and ipfwadmin, I select every module under Netfilter that is not labeled as experimental. That way shorewall can load whatever it needs. A quick 'lsmod' shows that 15 are loaded at the moment.

----------

## nbensa

gentoo-sources (pfeifer-sources actually) 2.4.21.1_pre4 in my firewall using shorewall. Never a problem. I've compiled -as modules- every single option in the kernel (netfilter that's it.) So gentoo-sources is not the problem.

----------

## p3nguin

so if i go back and select everything as a module under netfilter.....do i have to modprobe them all or will shorewall probe which ones it needs?  Also, would it make a difference if they are built into the kernel rather than "m" because i think i had most of the netfilter options set as " * "

----------

## TheWart

 *p3nguin wrote:*   

> so if i go back and select everything as a module under netfilter.....do i have to modprobe them all or will shorewall probe which ones it needs?  Also, would it make a difference if they are built into the kernel rather than "m" because i think i had most of the netfilter options set as " * "

 

What you should do is build eevbrything under netfiltering as a module.

Shorewall will automatically start them up for you (at least it does for me)

----------

## OhSh33t

I used "genkernel" to compile "gentoo-sources" and I just upgraded from 2.4.20-gentoo-r5 to r6. I'm running Shorewall version 1.4.6c

The last thing on my list to get installed on my new Gentoo box was "Shorewall" for simple security logging and having the ability to nat our ChinsEE-ass ppp 56K dialup connection so at least 2 or 3 computers can be out on the internet at the same time. (not able to do a whole lot at the same time but at least we can all be out at the same time..  :Very Happy:  )

Figuring out what exactly needed to be put into the Kernel was the messed up part.  I hosed my box at first and got Kernel Panic: Attempting to kill init; and was basically dead in the water.  Crying   :Mad:    hee.hee...

Had to boot off the Gentoo LiveCD and chroot back into the system and run "genkernel --config" and hope that I would get it right this time....I really believed that I lucked out. 

These are my settings. You might want to add some more modules for what your needs are, but as long as I'm able port forward ssh to my firewall from the internet and nat outbound connections for the other 2 machines, then I'm a happy camper..

I didn't have to put any of the modules in /etc/modules.autoload.d/Kernel-2.4

Shorewall grabs this stuff when it starts up. Gotta luv it...

Let me know if you need anything...  :Very Happy: 

# Networking options

#

CONFIG_PACKET=y

# CONFIG_PACKET_MMAP is not set

# CONFIG_NETLINK_DEV is not set

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_FILTER=y

CONFIG_UNIX=y

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_IP_MULTIPLE_TABLES=y

CONFIG_IP_ROUTE_FWMARK=y

CONFIG_IP_ROUTE_NAT=y

CONFIG_IP_ROUTE_MULTIPATH=y

CONFIG_IP_ROUTE_TOS=y

CONFIG_IP_ROUTE_VERBOSE=y

# CONFIG_IP_ROUTE_LARGE_TABLES is not set

# CONFIG_IP_PNP is not set

CONFIG_NET_IPIP=y

CONFIG_NET_IPGRE=y

# CONFIG_NET_IPGRE_BROADCAST is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_ARPD is not set

CONFIG_INET_ECN=y

CONFIG_SYN_COOKIES=y

#   IP: Netfilter Configuration

#

CONFIG_IP_NF_CONNTRACK=m

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_AMANDA=m

CONFIG_IP_NF_TFTP=m

# CONFIG_IP_NF_TALK is not set

# CONFIG_IP_NF_RSH is not set

# CONFIG_IP_NF_H323 is not set

# CONFIG_IP_NF_EGG is not set

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_QUAKE3 is not set

# CONFIG_IP_NF_CT_PROTO_GRE is not set

# CONFIG_IP_NF_PPTP is not set

# CONFIG_IP_NF_MMS is not set

# CONFIG_IP_NF_CUSEEME is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

# CONFIG_IP_NF_MATCH_RPC is not set

CONFIG_IP_NF_MATCH_LIMIT=m

# CONFIG_IP_NF_MATCH_QUOTA is not set

# CONFIG_IP_NF_POOL is not set

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_PKTTYPE=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_MPORT=m

CONFIG_IP_NF_MATCH_TOS=m

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_TIME is not set

# CONFIG_IP_NF_MATCH_RANDOM is not set

# CONFIG_IP_NF_MATCH_PSD is not set

# CONFIG_IP_NF_MATCH_NTH is not set

# CONFIG_IP_NF_MATCH_IPV4OPTIONS is not set

# CONFIG_IP_NF_MATCH_FUZZY is not set

# CONFIG_IP_NF_MATCH_CONDITION is not set

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_DSCP=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

# CONFIG_IP_NF_MATCH_TTL is not set

CONFIG_IP_NF_MATCH_TCPMSS=m

# CONFIG_IP_NF_MATCH_STEALTH is not set

# CONFIG_IP_NF_MATCH_REALM is not set

CONFIG_IP_NF_MATCH_HELPER=m

CONFIG_IP_NF_MATCH_STATE=m

CONFIG_IP_NF_MATCH_CONNLIMIT=m

CONFIG_IP_NF_MATCH_CONNTRACK=m

CONFIG_IP_NF_MATCH_UNCLEAN=m

# CONFIG_IP_NF_MATCH_STRING is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

# CONFIG_IP_NF_TARGET_NETLINK is not set

# CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP is not set

# CONFIG_IP_NF_TARGET_MIRROR is not set

# CONFIG_IP_NF_TARGET_TARPIT is not set

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_NAT_AMANDA=m

# CONFIG_IP_NF_TARGET_SAME is not set

# CONFIG_IP_NF_TARGET_NETMAP is not set

CONFIG_IP_NF_NAT_LOCAL=y

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_NAT_TFTP=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_DSCP=m

CONFIG_IP_NF_TARGET_MARK=m

# CONFIG_IP_NF_TARGET_IMQ is not set

# CONFIG_IP_NF_TARGET_CLASSIFY is not set

CONFIG_IP_NF_TARGET_LOG=m

# CONFIG_IP_NF_TARGET_ROUTE is not set

# CONFIG_IP_NF_TARGET_TTL is not set

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_IP_NF_TARGET_TCPMSS=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARPFILTER=m

# CONFIG_IP_NF_COMPAT_IPCHAINS is not set

# CONFIG_IP_NF_COMPAT_IPFWADM is not set

----------

## p3nguin

well thanks for your kernel info, but i did what you had and am getting a huge line of insmod errors when i try and run shorewall start.  So it wont load any modules for some reason.  So im switching kernels to vanilla.  we will see if that works.

----------

## OhSh33t

Yup,

The same thing was happpening to me. Thats becuse it can't find the ones it needs. 

Remember you'll need the most uptodate iproute package installed

 *Quote:*   

> 
> 
> sys-apps/iproute
> 
>       Latest version available: 20010824-r4
> ...

 

 *Quote:*   

> 
> 
> Durning the shorewall "shorewall start" you will see the following if everything goes well. If it doesn't you'll notice that the modes below are unavailable and this is when you'll get a tone of lsmod errors....
> 
> Initializing...
> ...

 

Once I had my kernel setup correctly things suddenly started working....

Please note:

 *Quote:*   

> 
> 
> When I setup my kernel network and netfilter configuration settings using the settings someone had for the 2.6 kernel where mostly everything was added as "*"'s instead of "m"'s, is where my "menuconfig" utilitly would barf and abort when making modules, or it would get all the way through compiling with the new settings and then when I would reboot my system woudl go into Kernel Panick and kill init.
> 
> This is why I gave my  specifics of what I'm using and what I set in the kernel to get this to work. If your using kernel-2.4.20-gentoo-r6 and used genkernel/gentoo-sources and have the most upto date iproute package with the same settings that I selected in my kernel network and netfilter settings then you should be fine. 
> ...

 

 :Very Happy: 

----------

## p3nguin

well i upgraded to vanilla kernel 2.4.22 and recompiled iptables and shorewall now works!  thanks everyone for all your help

----------

## OhSh33t

 :Laughing:   Sweet...P3nguin.

Nice job.   :Razz: 

----------

