* [gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo
@ 2012-08-25 7:49 Mick
2012-08-25 10:02 ` [gentoo-user] " Mick
2012-08-27 15:30 ` James
0 siblings, 2 replies; 4+ messages in thread
From: Mick @ 2012-08-25 7:49 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1: Type: Text/Plain, Size: 4605 bytes --]
Hi All,
Can you please check if you are using arno's script whether you are also
getting errors like these on start up?
===========================================
# /etc/init.d/arno-iptables-firewall start
* Use of the opts variable is deprecated and will be
* removed in the future.
* Please use extra_commands, extra_started_commands or
extra_stopped_commands.
* Loading Firewall... ...
Arno's Iptables Firewall Script v1.9.2d
-------------------------------------------------------------------------------
NOTE: External interface ppp0 does NOT exist (yet?)
Sanity checks passed...OK
Checking/probing IPv4 Iptables modules:
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Setup kernel settings:
Setting the max. amount of simultaneous connections to 16384
Setting default conntrack timeouts
Enabling protection against source routed packets
DISABLING packet forwarding
Enabling reduction of the DoS'ing ability
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling kernel support for dynamic IPs
Flushing route table
Kernel setup done...
Initializing firewall chains
Setting default INPUT/FORWARD policy to DROP
(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-
hosts...
0 line(s) read. 0 host(s) blocked.
Using loglevel "info" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Logging of stealth scans (nmap probes etc.) enabled
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
Logging of packets with bad TCP-flags enabled
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
... [snip ...]
Security is ENFORCED for external interface(s) in the FORWARD chain
(1) iptables: No chain/target/match by that name.
Aug 25 7:59:36 WARNING: Not all firewall rules are applied.
* WARNING: Failed to load Firewall [ !! ]
* ERROR: arno-iptables-firewall failed to start
===========================================
They repeat themselves a number of times, usually after "Logging of packets
..." statements. Despite the failed to start message above, iptables seem to
have loaded fine:
===========================================
# /sbin/iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 BASE_INPUT_CHAIN all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 INPUT_CHAIN all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 VALID_CHK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_INPUT_CHAIN !icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 EXT_INPUT_CHAIN icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW
[snip ...]
===========================================
I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo and
I can't see any changes that would cause these errors. I attach it for the
more eagle-eye amongst you.
Any ideas?
--
Regards,
Mick
[-- Attachment #1.2: diff_oldconfig.txt.bz2 --]
[-- Type: application/x-bzip, Size: 27908 bytes --]
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] Re: arno-iptables-firewall and kernel-3.4.9-gentoo
2012-08-25 7:49 [gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo Mick
@ 2012-08-25 10:02 ` Mick
2012-08-27 15:30 ` James
1 sibling, 0 replies; 4+ messages in thread
From: Mick @ 2012-08-25 10:02 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 505 bytes --]
On Saturday 25 Aug 2012 08:49:18 Mick wrote:
> I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo
> and I can't see any changes that would cause these errors. I attach it
> for the more eagle-eye amongst you.
>
> Any ideas?
Aha! Found it!
The new option:
> # CONFIG_NETFILTER_XT_TARGET_LOG is not set
is necessary for the full iptables logging to happen. Once I enabled it there
were no more errors. :-)
Hope this helps someone.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] Re: arno-iptables-firewall and kernel-3.4.9-gentoo
2012-08-25 7:49 [gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo Mick
2012-08-25 10:02 ` [gentoo-user] " Mick
@ 2012-08-27 15:30 ` James
2012-08-27 16:26 ` Mick
1 sibling, 1 reply; 4+ messages in thread
From: James @ 2012-08-27 15:30 UTC (permalink / raw
To: gentoo-user
Mick <michaelkintzios <at> gmail.com> writes:
> Arno's Iptables Firewall Script v1.9.2d
> Any ideas?
Wow, I thought his work died out years ago?
NICE!!!!!!!!!!
Although I have deviated, it's nice to know, I
can use his site for ideas, scripts and syntax
thks!
James
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Re: arno-iptables-firewall and kernel-3.4.9-gentoo
2012-08-27 15:30 ` James
@ 2012-08-27 16:26 ` Mick
0 siblings, 0 replies; 4+ messages in thread
From: Mick @ 2012-08-27 16:26 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 552 bytes --]
On Monday 27 Aug 2012 16:30:51 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > Arno's Iptables Firewall Script v1.9.2d
> > Any ideas?
>
> Wow, I thought his work died out years ago?
> NICE!!!!!!!!!!
>
> Although I have deviated, it's nice to know, I
> can use his site for ideas, scripts and syntax
>
>
> thks!
You're welcome. Arno keeps developing his handy script to include latest
modules, IPv6, etc. His latest version is 2.0.1b, but portage only has 1.9.2a
and 1.9.2d at the moment.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-27 16:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-25 7:49 [gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo Mick
2012-08-25 10:02 ` [gentoo-user] " Mick
2012-08-27 15:30 ` James
2012-08-27 16:26 ` Mick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox