Bug#468148: arno-iptables-firewall: "Errors starting on Sparc build"

Fri, 18 Apr 2008 05:10:04 -0700 

Hi,
Oh, sorry forgot to update the info here. The problem is caused by a bug in Debian's 2.6.18-kernel. For Lenny, a 2.6.19+ kernel will fix the problem... 

Arno

Michael Hanke wrote:

Hi,

I just wondered: Is there any update? Is the problem identified or even
solved? Should this report be closed or merged with another bug?

Thanks,

Michael


On Wed, Feb 27, 2008 at 02:29:38PM +0100, Arno van Amersfoort wrote:

  

Michael,


I'm already looking into this problem (the submitter provided a SUN  
sparc machine I can use for testing). I've already somehat isolated the  
problem, but as it looks now the issue is probably in the iptables  
binary (or kernel) used by Debian/Sparc. I will also post a bug against  
the iptables-package, and see what they can come up with....


cheers,

Arno

Michael Hanke wrote:

    

Hi Marco,

thanks for your report. Could you please provide your configuration
files:

/etc/arno-iptables-firewall/debconf.cfg
/etc/arno-iptables-firewall/firewall.conf

Please be sure to remove any possibly confidential information from it
before posting.

Thanks,

Michael


On Wed, Feb 27, 2008 at 11:58:21AM +0100, Marco Rijnsburger wrote:

  
      

Package: arno-iptables-firewall
Version: 1.8.8.i-2
Severity: important



-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: sparc (sparc64)

Kernel: Linux 2.6.18-3-sparc64-smp (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages arno-iptables-firewall depends on:
ii  debconf [debconf-2.0]   1.5.19           Debian configuration management sy
ii  gawk                    1:3.1.5.dfsg-4   GNU awk, a pattern scanning and pr
ii  iptables                1.3.8.0debian1-1 administration tools for packet fi
ii  lynx                    2.8.6-2          Text-mode WWW Browser

Versions of packages arno-iptables-firewall recommends:

ii  iproute                       20080108-1 Professional tools to 
control the 


-- debconf information:
* arno-iptables-firewall/config-int-nat-net: 172.16.2.0
* arno-iptables-firewall/dynamic-ip: false
* arno-iptables-firewall/config-int-net: 255.255.255.0
* arno-iptables-firewall/icmp-echo: true
* arno-iptables-firewall/services-udp: 53
  arno-iptables-firewall/title:
* arno-iptables-firewall/config-ext-if: eth0
* arno-iptables-firewall/services-tcp: 25 53 110 143 443 10000
* arno-iptables-firewall/restart: true
* arno-iptables-firewall/config-int-if: eth1
* arno-iptables-firewall/nat: true
* arno-iptables-firewall/debconf-wanted: true

# ./arno-iptables-firewall start
Arno's Iptables Firewall Script 1.8.8.i-2
-------------------------------------------------------------------------------
Sanity checks passed...OK
Detected IPTABLES module... Loading additional IPTABLES modules:
All IPTABLES modules loaded!
Setting the kernel ring buffer to only log panic messages to the console
Configuring /proc/.... settings:
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting the max. amount of simultaneous connections to 16384
 Enabling protection against source routed packets
 Setting default conntrack timeouts
 Enabling reduction of the DoS'ing ability
 Setting Default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Enabling support for dynamic IP's
 Flushing route table
/proc/ setup done...
Flushing rules in the filter table
Setting default (secure) policies
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
Logging of packets with bad TCP-flags enabled
iptables: Invalid argument
iptables: Invalid argument
Logging of INVALID packets disabled
Logging of fragmented packets enabled
iptables: Invalid argument
Logging of access from reserved addresses enabled
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
Setting up anti-spoof rules
Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules
Loading (user) plugins
iptables: Invalid argument
Setting up INPUT policy for the external net (INET):
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
Enabling support for a DHCP assigned IP on external interface(s): eth0
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing the whole world to connect to TCP port(s): 22
Allowing the whole world to send ICMP-requests(ping)
iptables: Invalid argument
Logging of dropped ICMP-request(ping) packets enabled
iptables: Invalid argument
Logging of dropped other ICMP packets enabled
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
Logging of possible stealth scans enabled
iptables: Invalid argument
iptables: Invalid argument
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
iptables: Invalid argument
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
iptables: Invalid argument
Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
iptables: Invalid argument
Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
iptables: Invalid argument
Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
iptables: Invalid argument
Logging of ICMP flooding enabled
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
Applying INET policy to external (INET) interface: eth0 (without an external
su)
iptables: Invalid argument
Setting up INPUT policy for internal (LAN) interface(s): eth1 eth2
 Allowing ICMP-requests(ping)
iptables: Invalid argument
iptables: Invalid argument
 Allowing all (other) protocols
iptables: Invalid argument
Setting up FORWARD policy for internal (LAN) interface(s): eth1 eth2
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
iptables: Invalid argument
iptables: Invalid argument
  Allowing all (other) protocols
Security is ENFORCED for external interface(s) in the FORWARD chain
iptables: Invalid argument

Feb 27 11:55:28 All firewall rules applied.


    
        

  
      



  


--
Arno van Amersfoort - E-mail: [EMAIL PROTECTED]























					Reply via email to