extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-18 10:40:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Yet another batch of 4.0 Doc updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6680 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-26 15:41:12 +00:00
parent b605aff1a8
commit 24d75ad5ed
1 changed files with 128 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
docs/troubleshoot.xml
View File

@ -36,56 +36,61 @@
<title><quote>shorewall start</quote> and <quote>shorewall restart</quote> <title><quote>shorewall start</quote> and <quote>shorewall restart</quote>
Errors</title> Errors</title>
<para>You receive an error message when starting or restarting the <section>
firewall and you can't determine the cause. First, if your VERBOSITY <title>Shorewall-shell</title>
setting in shorewall.conf is less than 2, then try running with a higher
verbosity level by using the "-v" option:</para>
<blockquote> <para>If you use the Shorewall-shell compiler and you receive an error
<programlisting><command>shorewall -vv [re]start</command></programlisting> message when starting or restarting the firewall and you can't determine
</blockquote> the cause. First, if your VERBOSITY setting in shorewall.conf is less
than 2, then try running with a higher verbosity level by using the "-v"
option:</para>
<para>That will give you additional progress messages that may make it <blockquote>
clear which entry in which file is generating the error.</para> <programlisting><command>shorewall -vv [re]start</command></programlisting>
</blockquote>
<para>If that didn't help, then do the following:</para> <para>That will give you additional progress messages that may make it
clear which entry in which file is generating the error.</para>
<itemizedlist> <para>If that didn't help, then do the following:</para>
<listitem>
<para>Make a note of the error message that you see.</para>
</listitem>
<listitem> <itemizedlist>
<para><command>shorewall debug start 2&gt; /tmp/trace</command></para> <listitem>
</listitem> <para>Make a note of the error message that you see.</para>
</listitem>
<listitem> <listitem>
<para>Look at the <filename>/tmp/trace</filename> file and see if that <para><command>shorewall debug start 2&gt;
helps you determine what the problem is. Be sure you find the place in /tmp/trace</command></para>
the log where the error message you saw is generated -- If you are </listitem>
using Shorewall 1.4.0 or later, you should find the message near the
end of the log.</para>
</listitem>
<listitem> <listitem>
<para>If you still can't determine what's wrong then see the <ulink <para>Look at the <filename>/tmp/trace</filename> file and see if
url="support.htm">support page</ulink>.</para> that helps you determine what the problem is. Be sure you find the
</listitem> place in the log where the error message you saw is generated -- If
</itemizedlist> you are using Shorewall 1.4.0 or later, you should find the message
near the end of the log.</para>
</listitem>
<example> <listitem>
<title>Startup Error</title> <para>If you still can't determine what's wrong then see the <ulink
url="support.htm">support page</ulink>.</para>
</listitem>
</itemizedlist>
<para>During startup, a user sees the following:</para> <example>
<title>Startup Error</title>
<programlisting>Adding Common Rules <para>During startup, a user sees the following:</para>
<programlisting>Adding Common Rules
iptables: No chain/target/match by that name iptables: No chain/target/match by that name
Terminated</programlisting> Terminated</programlisting>
<para>A search through the trace for <quote>No chain/target/match by <para>A search through the trace for <quote>No chain/target/match by
that name</quote> turned up the following:</para> that name</quote> turned up the following:</para>
<programlisting>+ echo 'Adding Common Rules' <programlisting>+ echo 'Adding Common Rules'
+ add_common_rules + add_common_rules
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset ++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
@ -94,11 +99,93 @@ Terminated</programlisting>
iptables: No chain/target/match by that name iptables: No chain/target/match by that name
</programlisting> </programlisting>
<para>The command that failed was: <quote><command>iptables -A reject -p <para>The command that failed was: <quote><command>iptables -A reject
tcp -j REJECT --reject-with tcp-reset</command></quote>. In this case, -p tcp -j REJECT --reject-with tcp-reset</command></quote>. In this
the user had compiled his own kernel and had forgotten to include REJECT case, the user had compiled his own kernel and had forgotten to
target support (see <ulink url="kernel.htm">kernel.htm</ulink>)</para> include REJECT target support (see <ulink
</example> url="kernel.htm">kernel.htm</ulink>)</para>
</example>
</section>
<section>
<title>Shorewall-perl</title>
<para>If the error is detected by the Shorewall-perl compiler, it should
be fairly obvious where the problem was found. Each error message
includes the configuration file name and line number where the error was
detected and often gives the particular item in error. The item is
either enclosed in parentheses or is at the end following a colon
(":").</para>
<para>Example:<programlisting>gateway:~/test # shorewall restart .
Compiling...
ERROR: Invalid ICMP Type (0/400) : /root/test/rules (line 19)
gateway:~/test # </programlisting>In this case, line 19 in the rules file
specified an invalid ICMP Type (0/400).</para>
<para>Additional information about the error can be obtained using the
'debug' keyword:<programlisting>gateway:~/test # shorewall debug restart .
Compiling...
ERROR: Invalid ICMP Type (0/400) : /root/test/rules (line 19) at /usr/share/shorewall-perl/Shorewall/Config.pm line 338
Shorewall::Config::fatal_error('Invalid ICMP Type (0/400)') called at /usr/share/shorewall-perl/Shorewall/Chains.pm line 885
Shorewall::Chains::validate_icmp('0/400') called at /usr/share/shorewall-perl/Shorewall/Chains.pm line 949
Shorewall::Chains::do_proto('icmp', '0/400', '-') called at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1055
Shorewall::Rules::process_rule1('ACCEPT', 'loc', 'net', 'icmp', '0/400', '-', '-', '-', '-', ...) called at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1290
Shorewall::Rules::process_rule('ACCEPT', 'loc', 'net', 'icmp', '0/400', '-', '-', '-', '-', ...) called at /usr/share/shorewall-perl/Shorewall/Rules.pm line 1336
Shorewall::Rules::process_rules() called at /usr/share/shorewall-perl/Shorewall/Compiler.pm line 799
Shorewall::Compiler::compiler('/var/lib/shorewall/.restart', '/root/test', 0, 4) called at /usr/share/shorewall-perl/compiler.pl line 86
gateway:~/test # </programlisting>This information is useful to Shorewall
support if you need to <ulink url="support.html">file a problem
report</ulink>.</para>
<para>The end of the compile phase is signaled by a message such as the
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
occuring past that point are said to occur at
<firstterm>run-time</firstterm> because they occur during the running of
the compiled firewall script (/var/lib/shorewall/.restart in the case of
the above message).</para>
<para>One common run-time failure is that the iptables-restore program
encounters an error. This will produce an error such as the
following:<programlisting>...
Restarting Shorewall....
iptables-restore v1.3.6: No chain/target/match by that name
Error occurred at line: 83
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Restoring Shorewall...
Shorewall restored from /var/lib/shorewall/restore
Terminated
gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
83 might show something like the following:<programlisting>-A reject -p tcp -j REJECT --reject-with tcp-reset</programlisting>In
this case, the user had compiled his own kernel and had forgotten to
include REJECT target support (see <ulink
url="kernel.htm">kernel.htm</ulink>).</para>
<para>In other run-time failure cases:<itemizedlist>
<listitem>
<para>Make a note of the error message that you see.</para>
</listitem>
<listitem>
<para><command>shorewall debug start 2&gt;
/tmp/trace</command></para>
</listitem>
<listitem>
<para>Look at the <filename>/tmp/trace</filename> file and see if
that helps you determine what the problem is. Be sure you find the
place in the log where the error message you saw is generated --
If you are using Shorewall 1.4.0 or later, you should find the
message near the end of the log.</para>
</listitem>
<listitem>
<para>If you still can't determine what's wrong then see the
<ulink url="support.htm">support page</ulink>.</para>
</listitem>
</itemizedlist></para>
</section>
</section> </section>
<section> <section>