Package: firehol Version: 1.231-2sarge1 Severity: important
I have tried 2 firehol.conf files: one that I use on i386 systems one generated by firehol-wizard Both cause firehol to generate (report) many error messages from iptables. So this seems to be a sparc problem? I will try to attach, or include, the conf files, and the output of "firehol try" ============= (start) firehol.conf ====================== #! # ------------------------------------------------------------------------------ # This feature is under construction -- use it with care. # *** NEVER USE THIS CONFIG AS-IS *** # # : firehol.sh,v 1.231 2004/11/01 00:13:00 ktsaou Exp $ # (C) Copyright 2003, Costa Tsaousis <[EMAIL PROTECTED]> # FireHOL is distributed under GPL. # Home Page: http://firehol.sourceforge.net # # ------------------------------------------------------------------------------ # FireHOL controls your firewall. You should want to get updates quickly. # Subscribe (at the home page) to get notified of new releases. # ------------------------------------------------------------------------------ # # This config will have the same effect as NO PROTECTION! # Everything that found to be running, is allowed. # # Date: Fri Mar 23 16:14:36 ADT 2007 on host Coral.OCEAN.Dal.Ca # # The TODOs bellow, are YOUR to-dos! ### DEBUG: Processing interface 'eth0' ### DEBUG: Processing IP 129.173.105.57/32 of interface 'eth0' ### DEBUG: Is 129.173.105.57/32 part of network 129.173.104.0/22? yes # Interface No 1. # The purpose of this interface is to control the traffic # on the eth0 interface with IP 129.173.105.57/32 (net: "129.173.104.0/22"). # TODO: Change "interface1" to something with meaning to you. # TODO: Check the optional rule parameters (src/dst). # TODO: Remove 'dst 129.173.105.57/32' if this is dynamically assigned. # interface eth0 interface1 src "129.173.104.0/22" dst 129.173.105.57/32 interface eth0 interface1 src "129.173.104.0/22" # The default policy is DROP. You can be more polite with REJECT. # Prefer to be polite on your own clients to prevent timeouts. policy drop # If you don't trust the clients behind eth0 (net "129.173.104.0/22"), # add something like this. # > protection strong # Here are the services listening on eth0. # TODO: Normally, you will have to remove those not needed. client dhcp accept server ICMP accept server cups accept server http accept server ident accept server ntp accept server postgres accept server sunrpc accept # The following eth0 server ports are not known by FireHOL: # tcp/633 udp/626 udp/629 # TODO: If you need any of them, you should define new services. # (see Adding Services at the web site - http://firehol.sf.net). # The following means that this machine can REQUEST anything via eth0. # TODO: On production servers, avoid this and allow only the # client services you really need. client all accept ### DEBUG: Is 129.173.104.1/32 part of network 129.173.104.0/22? yes ### DEBUG: Default gateway 129.173.104.1/32 is part of network 129.173.104.0/22 # Interface No 2. # The purpose of this interface is to control the traffic # from/to unknown networks behind the default gateway 129.173.104.1/32 . # TODO: Change "interface2" to something with meaning to you. # TODO: Check the optional rule parameters (src/dst). # TODO: Remove 'dst 129.173.105.57/32' if this is dynamically assigned. # interface eth0 interface2 src not "${UNROUTABLE_IPS} 129.173.104.0/22" dst 129.173.105.57/32 interface eth0 interface2 src not "${UNROUTABLE_IPS} 129.173.104.0/22" # The default policy is DROP. You can be more polite with REJECT. # Prefer to be polite on your own clients to prevent timeouts. policy drop # If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} 129.173.104.0/22"), # add something like this. # > protection strong # Here are the services listening on eth0. # TODO: Normally, you will have to remove those not needed. client dhcp accept server ICMP accept server cups accept server http accept server ident accept server ntp accept server postgres accept server sunrpc accept # The following eth0 server ports are not known by FireHOL: # tcp/633 udp/626 udp/629 # TODO: If you need any of them, you should define new services. # (see Adding Services at the web site - http://firehol.sf.net). # The following means that this machine can REQUEST anything via eth0. # TODO: On production servers, avoid this and allow only the # client services you really need. client all accept # The above 2 interfaces were found active at this moment. # Add more interfaces that can potentially be activated in the future. # FireHOL will not complain if you setup a firewall on an interface that is # not active when you activate the firewall. # If you don't setup an interface, FireHOL will drop all traffic from or to # this interface, if and when it becomes available. # Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1) # you can use the plus (+) character to match all of them (i.e. ppp+). # No router statements have been produced, because your server # is not configured for forwarding traffic. ============= (end) firehol.conf ====================== ============= (start) output of "firehol firehol.conf try " ======= -------------------------------------------------------------------------------- ERROR : # 1. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 76 of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A in_interface1 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-interface1: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 2. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 76 of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A out_interface1 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-interface1: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 3. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line FIN of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A in_interface2 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-interface2: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 4. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line FIN of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A out_interface2 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-interface2: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 5. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line FIN of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 6. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line FIN of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown: OUTPUT : iptables: Invalid argument -------------------------------------------------------------------------------- ERROR : # 7. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line FIN of /etc/firehol/firehol-wizard.conf COMMAND : /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown: OUTPUT : iptables: Invalid argument Stopped: Couldn't activate new firewall. FireHOL: Restoring old firewall: OK ============= (end) output of "firehol firehol.conf try " ======= Regards, Douglas. -- System Information: Debian Release: 3.1 Architecture: sparc (sparc64) Kernel: Linux 2.4.27-3-sparc64 Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) Versions of packages firehol depends on: ii bash 2.05b-26 The GNU Bourne Again SHell ii bc 1.06-15 The GNU bc arbitrary precision cal ii iproute 20041019-3 Professional tools to control the ii iptables 1.2.11-10 Linux kernel 2.4+ iptables adminis ii net-tools 1.60-10 The NET-3 networking toolkit -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
