Bug 1300 - 2012.1, shorewall does not start
: 2012.1, shorewall does not start
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: x86_64 Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-22 16:52 MSK by philippe.roubach
Modified: 2014-10-21 12:55 MSD (History)
3 users (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description philippe.roubach 2012-12-22 16:52:34 MSK
Description of problem:


shorewall does not start

we have a message :

compiling
ERROR : your kernel/ipset does not include state match support. No version of Shorewall will run in this system
Comment 1 Alexander Burmashev 2012-12-22 16:55:26 MSK
Hi, do you have latest updates installed ?
Comment 2 philippe.roubach 2012-12-22 17:03:39 MSK
(In reply to comment #1)
> Hi, do you have latest updates installed ?

yes

today i made an update. result : update of klook. that's all
Comment 3 Aleksandr Kazantcev 2012-12-23 18:58:21 MSK
You need update iptables...

Is iptables works?

systemctl status iptables

give you Active state ?
Comment 4 philippe.roubach 2012-12-23 21:00:11 MSK
with the MCC service manager
i see by default iptables is not started at boot up
then
i start it
then
i start shorewall
then
i have the message :

/sbin/shorewall:80:[:lt:unexpected operator

here is the staes of iptables

[root@localhost ~]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/lib/systemd/system/iptables.service; disabled)
          Active: active (exited) since Sun, 23 Dec 2012 17:50:38 +0100; 7min ago
         Process: 5660 ExecStart=/usr/lib64/iptables.init start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/iptables.service

Dec 23 17:50:38 localhost.localdomain iptables.init[5660]: Applying iptables firewall rules:
Dec 23 17:50:38 localhost.localdomain iptables.init[5660]: [  OK  ]
Dec 23 17:50:38 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
[root@localhost ~]#
Comment 5 Aleksandr Kazantcev 2012-12-23 21:08:16 MSK
Iptables works - it's good

But you may easy test shorewall (not see for 'non running' information - updates for it in QA state...

Run drakfirewall with 'disable for all' (shorewall will be disabled)
Than see

 iptables -L

Than run drakfirewall and setup it (IFW stop working and we drop it) and see 

 iptables -L

If you see changes (many-many rules) - shorewall is really work, iptebles rules changing and you system is in guard mode... GUI will be fixed when update movin via QA.

Some garbage output for shorewall is normal
Comment 6 Aleksandr Kazantcev 2012-12-23 21:13:53 MSK
You has /etc/sysconfig/iptables ?

If not 

 touch /etc/sysconfig/iptables from root (su, root password and then this command)...


Also what output for 
 
 rpm -qa | grep iptables
Comment 7 philippe.roubach 2012-12-23 22:31:20 MSK
i forgot to mention that firewal does not when i try to start it with the mcc tool
Comment 8 philippe.roubach 2012-12-23 22:57:53 MSK
i ask to start iptables with drakxservice
then
i restart system
then
iptables is not started ! (also shorewall is not started)
then
i start iptables
then

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# 

then
i start shorewall

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
net2fw     all  --  anywhere             anywhere            
net2fw     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto] 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
wlan0_fwd  all  --  anywhere             anywhere            
eth0_fwd   all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject     all  --  anywhere             anywhere            [goto] 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
fw2net     all  --  anywhere             anywhere            
fw2net     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto] 

Chain Broadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4 

Chain Drop (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            
reject     tcp  --  anywhere             anywhere             tcp dpt:auth /* Auth */
Broadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
Invalid    all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP       tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* UPnP */
NotSyn     tcp  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain Invalid (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID

Chain NotSyn (2 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN

Chain Reject (3 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            
reject     tcp  --  anywhere             anywhere             tcp dpt:auth /* Auth */
Broadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
Invalid    all  --  anywhere             anywhere            
reject     udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds /* SMB */
reject     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn /* SMB */
reject     udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject     tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* UPnP */
NotSyn     tcp  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain dynamic (5 references)
target     prot opt source               destination         

Chain eth0_fwd (1 references)
target     prot opt source               destination         
sfilter    all  --  anywhere             anywhere            [goto] 
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
net_frwd   all  --  anywhere             anywhere            

Chain fw2net (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain logdrop (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain logreject (0 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            

Chain net2fw (2 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:6881:6999
Drop       all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
DROP       all  --  anywhere             anywhere            

Chain net_frwd (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain reject (10 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match src-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere            
DROP       igmp --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain sfilter (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:sfilter:DROP:"
DROP       all  --  anywhere             anywhere            

Chain shorewall (0 references)
target     prot opt source               destination         

Chain wlan0_fwd (1 references)
target     prot opt source               destination         
sfilter    all  --  anywhere             anywhere            [goto] 
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
net_frwd   all  --  anywhere             anywhere            
[root@localhost ~]# 


there is a /etc/sysconfig/iptables file but empty

touch doesn't change anything

[root@localhost ~]# rpm -qa | grep iptables
lib64iptables7-1.4.15-4-rosa2012.1.x86_64
iptables-1.4.15-4-rosa2012.1.x86_64
[root@localhost ~]#
Comment 9 philippe.roubach 2012-12-23 23:20:07 MSK
a strange thing

after starting shorewall with drakfirewall
after other i open again drakfirewall. again "all" is checked ! i uncchekded it to start shorewall.
Comment 10 Aleksandr Kazantcev 2013-11-08 23:49:48 MSK
If bug still valid?
Comment 11 Denis Silakov 2014-10-21 12:55:43 MSD
Fixed with update from bug #4452.