From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EA2jN-0001wU-HW for garchives@archives.gentoo.org; Tue, 30 Aug 2005 09:48:37 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j7U9jeJc017761; Tue, 30 Aug 2005 09:45:40 GMT Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.6.13]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j7U9fOmv027811 for ; Tue, 30 Aug 2005 09:41:24 GMT Received: from [10.0.0.150] (ip3e83ab52.speed.planet.nl [62.131.171.82]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IM1000I64CHQO@smtp17.wxs.nl> for gentoo-user@lists.gentoo.org; Tue, 30 Aug 2005 11:43:29 +0200 (CEST) Date: Tue, 30 Aug 2005 11:43:26 +0200 From: Holly Bostick Subject: Re: [gentoo-user] iptables In-reply-to: <001401c5ad0b$a4991af0$0501a8c0@croatus> To: gentoo-user@lists.gentoo.org Message-id: <43142A3E.4080809@planet.nl> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 7BIT X-Accept-Language: nl-NL, nl, en User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050803) X-Enigmail-Version: 0.92.0.0 References: <001401c5ad0b$a4991af0$0501a8c0@croatus> X-Archives-Salt: a15619da-0408-4083-9ebf-c5db1275ef79 X-Archives-Hash: 33bb37ad9999777b9270fd3c35da3672 John Dangler schreef: > Holly~ The Firestarter kernel requirements doc says - > > *Device drivers *Networking support [y] *Networking support > *Networking options *Network packet filtering [y] *Network packet > filtering IP: Netfilter Configuration (*) > > "We recommend you enable _everything_ except ipchains support and > ipfwadm support as modules under this menu" I never read this as meaning that everything should be selected, but rather that everything that you select under this menu, other than ipchains support and ipfwadm, should be selected as a module rather than static. But even then, they further explain that this is mostly to save size and memory in the kernel, rather than some actual necessity. And of course, the docs further say > At the very least, the Connection tracking, IP tables, Connection > state match support, Connection tracking match support, Packet > filtering, Full NAT and the LOG target support My config looks like this: CONFIG_IP_NF_CONNTRACK=y # CONFIG_IP_NF_CT_ACCT is not set # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set # CONFIG_IP_NF_FTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_IPRANGE=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y CONFIG_IP_NF_MATCH_OWNER=y # CONFIG_IP_NF_MATCH_ADDRTYPE is not set # CONFIG_IP_NF_MATCH_REALM is not set # CONFIG_IP_NF_MATCH_SCTP is not set # CONFIG_IP_NF_MATCH_COMMENT is not set # CONFIG_IP_NF_MATCH_HASHLIMIT is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_SAME=y # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_CLASSIFY=y CONFIG_IP_NF_RAW=m CONFIG_IP_NF_TARGET_NOTRACK=m CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y As you see, I haven't even followed the instructions properly (all this stuff is static), but, as the docs also say it will, Firestarter seems to work fine (because all the 'required elements' are enabled. Maybe I'll go back through make menuconfig and clean that all up, just so I know what I'm doing in future. But afaik, I just left the kernel defaults in place (as about all I know about these settings is that 1) I'm not using ipv6, and 2) anything that is needed for a router I don't need, because I'm not a router :) ). It rather sounds like Hans-Werner is onto something; often, when you change your kernel configuration, you have to rebuild any external modules against the new base, which you don't seem to have done. Otherwise the external module thinks that functions are available that it has to modprobe (because the functionality has changed from static to module), and vice versa (if the functionality has changed from module to static). If I reconfigure my kernel to modify a sound module, then no, I don't have to re-emerge the ati-drivers (because the kernel change is irrelevant to the external module), but the same wouldn't be true if I changed /dev/agpgart from static to a module. In this case, you certainly are changing kernel options relevant to the external modules, so those would have to be re-emerged against the new kernel congiguration. HTH, Holly -- gentoo-user@gentoo.org mailing list