tag 468148 + etch confirmed thanks
Hi, On Fri, Apr 18, 2008 at 01:37:57PM +0200, Arno van Amersfoort wrote: > Hi, > > Oh, sorry forgot to update the info here. The problem is caused by a bug > in Debian's 2.6.18-kernel. For Lenny, a 2.6.19+ kernel will fix the > problem... ah, thanks. But is there anything we could do in this package to address/workaround it? Or maybe there is a report about the actual problem in the etch kernel where we can point people to (including myself ;-)? Thanks, Michael > Michael Hanke wrote: >> Hi, >> >> I just wondered: Is there any update? Is the problem identified or even >> solved? Should this report be closed or merged with another bug? >> >> Thanks, >> >> Michael >> >> >> On Wed, Feb 27, 2008 at 02:29:38PM +0100, Arno van Amersfoort wrote: >> >>> Michael, >>> >>> I'm already looking into this problem (the submitter provided a SUN >>> sparc machine I can use for testing). I've already somehat isolated >>> the problem, but as it looks now the issue is probably in the >>> iptables binary (or kernel) used by Debian/Sparc. I will also post a >>> bug against the iptables-package, and see what they can come up >>> with.... >>> >>> cheers, >>> >>> Arno >>> >>> Michael Hanke wrote: >>> >>>> Hi Marco, >>>> >>>> thanks for your report. Could you please provide your configuration >>>> files: >>>> >>>> /etc/arno-iptables-firewall/debconf.cfg >>>> /etc/arno-iptables-firewall/firewall.conf >>>> >>>> Please be sure to remove any possibly confidential information from it >>>> before posting. >>>> >>>> Thanks, >>>> >>>> Michael >>>> >>>> >>>> On Wed, Feb 27, 2008 at 11:58:21AM +0100, Marco Rijnsburger wrote: >>>> >>>>> Package: arno-iptables-firewall >>>>> Version: 1.8.8.i-2 >>>>> Severity: important >>>>> >>>>> >>>>> >>>>> -- System Information: >>>>> Debian Release: lenny/sid >>>>> APT prefers testing >>>>> APT policy: (500, 'testing') >>>>> Architecture: sparc (sparc64) >>>>> >>>>> Kernel: Linux 2.6.18-3-sparc64-smp (SMP w/1 CPU core) >>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >>>>> Shell: /bin/sh linked to /bin/bash >>>>> >>>>> Versions of packages arno-iptables-firewall depends on: >>>>> ii debconf [debconf-2.0] 1.5.19 Debian configuration >>>>> management sy >>>>> ii gawk 1:3.1.5.dfsg-4 GNU awk, a pattern scanning >>>>> and pr >>>>> ii iptables 1.3.8.0debian1-1 administration tools for >>>>> packet fi >>>>> ii lynx 2.8.6-2 Text-mode WWW Browser >>>>> >>>>> Versions of packages arno-iptables-firewall recommends: >>>>> ii iproute 20080108-1 Professional tools >>>>> to control the >>>>> >>>>> -- debconf information: >>>>> * arno-iptables-firewall/config-int-nat-net: 172.16.2.0 >>>>> * arno-iptables-firewall/dynamic-ip: false >>>>> * arno-iptables-firewall/config-int-net: 255.255.255.0 >>>>> * arno-iptables-firewall/icmp-echo: true >>>>> * arno-iptables-firewall/services-udp: 53 >>>>> arno-iptables-firewall/title: >>>>> * arno-iptables-firewall/config-ext-if: eth0 >>>>> * arno-iptables-firewall/services-tcp: 25 53 110 143 443 10000 >>>>> * arno-iptables-firewall/restart: true >>>>> * arno-iptables-firewall/config-int-if: eth1 >>>>> * arno-iptables-firewall/nat: true >>>>> * arno-iptables-firewall/debconf-wanted: true >>>>> >>>>> # ./arno-iptables-firewall start >>>>> Arno's Iptables Firewall Script 1.8.8.i-2 >>>>> ------------------------------------------------------------------------------- >>>>> Sanity checks passed...OK >>>>> Detected IPTABLES module... Loading additional IPTABLES modules: >>>>> All IPTABLES modules loaded! >>>>> Setting the kernel ring buffer to only log panic messages to the console >>>>> Configuring /proc/.... settings: >>>>> Enabling anti-spoof with rp_filter >>>>> Enabling SYN-flood protection via SYN-cookies >>>>> Disabling the logging of martians >>>>> Disabling the acception of ICMP-redirect messages >>>>> Setting the max. amount of simultaneous connections to 16384 >>>>> Enabling protection against source routed packets >>>>> Setting default conntrack timeouts >>>>> Enabling reduction of the DoS'ing ability >>>>> Setting Default TTL=64 >>>>> Disabling ECN (Explicit Congestion Notification) >>>>> Enabling support for dynamic IP's >>>>> Flushing route table >>>>> /proc/ setup done... >>>>> Flushing rules in the filter table >>>>> Setting default (secure) policies >>>>> Using loglevel "info" for syslogd >>>>> >>>>> Setting up firewall rules: >>>>> ------------------------------------------------------------------------------- >>>>> Accepting packets from the local loopback device >>>>> Enabling setting the maximum packet size via MSS >>>>> Enabling mangling TOS >>>>> Logging of stealth scans (nmap probes etc.) enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Logging of packets with bad TCP-flags enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Logging of INVALID packets disabled >>>>> Logging of fragmented packets enabled >>>>> iptables: Invalid argument >>>>> Logging of access from reserved addresses enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Setting up anti-spoof rules >>>>> Reading custom IPTABLES rules from >>>>> /etc/arno-iptables-firewall/custom-rules >>>>> Loading (user) plugins >>>>> iptables: Invalid argument >>>>> Setting up INPUT policy for the external net (INET): >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Enabling support for a DHCP assigned IP on external interface(s): eth0 >>>>> Logging of explicitly blocked hosts enabled >>>>> Logging of denied local output connections enabled >>>>> Packets will NOT be checked for private source addresses >>>>> Allowing the whole world to connect to TCP port(s): 22 >>>>> Allowing the whole world to send ICMP-requests(ping) >>>>> iptables: Invalid argument >>>>> Logging of dropped ICMP-request(ping) packets enabled >>>>> iptables: Invalid argument >>>>> Logging of dropped other ICMP packets enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Logging of possible stealth scans enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Logging of (other) connection attempts to PRIVILEGED TCP ports enabled >>>>> iptables: Invalid argument >>>>> Logging of (other) connection attempts to PRIVILEGED UDP ports enabled >>>>> iptables: Invalid argument >>>>> Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled >>>>> iptables: Invalid argument >>>>> Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled >>>>> iptables: Invalid argument >>>>> Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts >>>>> enabled >>>>> iptables: Invalid argument >>>>> Logging of ICMP flooding enabled >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Applying INET policy to external (INET) interface: eth0 (without an >>>>> external >>>>> su) >>>>> iptables: Invalid argument >>>>> Setting up INPUT policy for internal (LAN) interface(s): eth1 eth2 >>>>> Allowing ICMP-requests(ping) >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Allowing all (other) protocols >>>>> iptables: Invalid argument >>>>> Setting up FORWARD policy for internal (LAN) interface(s): eth1 eth2 >>>>> Logging of denied LAN->INET FORWARD connections enabled >>>>> Setting up LAN->INET policy: >>>>> Allowing ICMP-requests(ping) >>>>> iptables: Invalid argument >>>>> iptables: Invalid argument >>>>> Allowing all (other) protocols >>>>> Security is ENFORCED for external interface(s) in the FORWARD chain >>>>> iptables: Invalid argument >>>>> >>>>> Feb 27 11:55:28 All firewall rules applied. >>>>> >>>>> >>>> >> >> > > -- > Arno van Amersfoort - E-mail: [EMAIL PROTECTED] > -- GPG key: 1024D/3144BE0F Michael Hanke http://apsy.gse.uni-magdeburg.de/hanke ICQ: 48230050 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
