From 31f0b2dc68295c26d50e7c5482557b11ff39847f Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 6 Oct 2004 14:32:53 +0000 Subject: [PATCH] Add Error Messages Article git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1665 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation_Index.xml | 6 +- Shorewall-docs2/ErrorMessages.xml | 505 ++++++++++++++++++++++++ 2 files changed, 510 insertions(+), 1 deletion(-) create mode 100644 Shorewall-docs2/ErrorMessages.xml diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 752a24d15..915368f2d 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-09-23 + 2004-10-05 2001-2004 @@ -296,6 +296,10 @@ Errata + + Error Messages + + Extension Scripts (How to extend Shorewall without modifying Shorewall diff --git a/Shorewall-docs2/ErrorMessages.xml b/Shorewall-docs2/ErrorMessages.xml new file mode 100644 index 000000000..2d2fc558b --- /dev/null +++ b/Shorewall-docs2/ErrorMessages.xml @@ -0,0 +1,505 @@ + + +
+ + + + Shorewall Error Messages + + + + Tom + + Eastep + + + + 2004-10-06 + + + 2004 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Shorewall can produce a wide variety of error messages when a + problem is detected with your configuration. This article attempts to + explain the cause of and cures for some of these messages. +
+ +
+ Messages Produced by /sbin/shorewall + + Some error messages are produced by the /sbin/shorewall utility. + These messages are detailed in this section. + + + + ERROR: <label> must specify a simple file name: + <name> + + + This means that you have specified a restore file name with a + "/". Restore files must be simple file names with no slashes. + + + + + ERROR: Shorewall is not properly installed + + + The files /usr/share/shorewall/firewall + and/or /usr/share/shorewall/version do not + exist. + + + + + ERROR: <file name> exists and is not a saved + Shorewall configuration + + + The named file in /var/lib/shorewall + exists but is not executable. + + + + + ERROR: Reserved file name: <file name> + + + You have specified either save or + restore-base as the name of a restore file -- + those names are reserved for use by Shorewall. + + + + + ERROR: Currently-running Configuration Not + Saved + + + During processing of a shorewall save + command, the iptables-save command failed. + + + + + ERROR: /var/lib/shorewall/restore-base does not + exist + + + The shorewall start and shorewall + restart commands create a file called + /var/lib/shorewall/restore-base which forms the + basis for creating a restore file using shorewall + save. This error message is issued when shorewall + save is not able to find that file. + + + +
+ +
+ Messages Produced by /usr/share/shorewall/firewall + + The program /usr/share/shorewall/firewall is + responsible for parsing the Shorewall configuration files and for creating + and changing the Netfilter configuration. Some of the error messages + generated by this program are listed below. + + + + ERROR: Invalid zone definition for zone + <zone> + + + The zone named in the message is defined to be associated with + an interface in /etc/shorewall/interfaces yet + it also has an entry for that same interface in + /etc/shorewall/hosts. + + + + + ERROR: Invalid zone (<zone>) in record + "<record>" + + + The zone named in the ZONE column of the listed record from + /etc/shorewall/interfaces or + /etc/shorewall/hosts is not defined in + /etc/shorewall/zones. + + + + + ERROR: Duplicate Interface <interface> + + + The named interface has two entries in + /etc/shorewall/interfaces. + + + + + ERROR: Invalid Interface Name: + <interface> + + + The interface name contains a colon (":") or is "+". If the + name includes a ":", you probably need to read this + article. + + + + + ERROR: Unknown interface (<interface>) in record + "<record>" + + + The <interface> name listed in the + <record> from + /etc/shorewall/hosts was not defined in + /etc/shorewall/interfaces. + + + + + ERROR: Bridged interfaces may not be defined in + /etc/shorewall/interfaces: + <interface>[:<address>] + + + The named interface appears in /etc/shorewall/hosts and + appears as a bridge port (after a colon) but is also defined in + /etc/shorewall/interfaces. + + + + + ERROR: Your kernel and/or iptables does not support policy + match: ipsec + + + You have specified the ipsec + option in an /etc/shorewall/hosts record but + your kernel and/or iptables is missing policy match support. That + support in turn requires a set of ipsec-netfilter patches in order + to work correctly. + + + + + ERROR: Undefined zone <zone> + + + The named zone appears in the /etc/shorewall/policy file but + not in the /etc/shorewall/zones file. + + + + + ERROR: Can't determine the IP address of + <interface> + + + You have specified DETECT_DNAT_ADDRS=Yes in + /etc/shorewall/shorewall.conf and Shorewall is unablee to determine + the IP address of the named <interface>. + Be sure that the interface is started before starting Shorewall or + set DETECT_DNAT_ADDRS=No. + + + + + ERROR: Invalid gateway zone (<zone>) -- Tunnel + "<record> + + + The listed <zone> name appears in + the GATEWAY ZONE column of the listed + <record> from + /etc/shorewall/tunnels but is not defined in + /etc/shorewall/zones. + + + + + ERROR: Your kernel and/or iptables does not support policy + match + + + Your /etc/shorewall/ipsec file is non-empty but your kernel + and/or iptables do not include policy match support. That support in + turn requires a set of ipsec-netfilter patches in order to work + correctly. + + + + + ERROR: No hosts on <interface> have the maclist + option specified + + + The named <interface> appears in a + record in /etc/shorewall/maclist yet that + interface's record in /etc/shorewall/interfaces + does not specify the maclist option + and no record in /etc/shorewall/hosts that + names that interface includes the maclist option. + + + + + ERROR: Interface <interface> must be up before + Shorewall can start + + + You have specified the maclist option for this interface but the + command ip list show <interface> + fails. + + + + + ERROR: Unknown interface <interface> + + + The interface appears in a configuration file but is not + defined in /etc/shorewall/interfaces. + + + + + ERROR: BRIDGING=Yes requires Physdev Match support in your + Kernel and iptables + + + You have set BRIDGING=Yes in + /etc/shorewall/shorewall.conf but it appears + that your kernel and/or iptables do not have physdev match + support. + + + + + ERROR: Unknown interface <interface> in rule: + "<rule>" + + + You have BRIDGING=No in + /etc/shorewall/shorewall.conf and the + <interface> given in a rule does not + match an entry in + /etc/shorewall/interfaces. + + + + + ERROR: SNAT may no longer be specified in a DNAT rule; use + /etc/shorewall/masq instead + + + In earlier Shorewall versions, the ORIGINAL DEST column + allowed following the original destination IP address with ":" and + an address to use as the source of the forwarded connection request. + Now that /etc/shorewall/masq supports qualification of SNAT rules by + protocol and port, this feature is no longer required and has been + deimplemented. + + + + + ERROR: "Invalid Source in rule "<rule>" + + + The SOURCE column has the firewall zone name immediately + followed by "!". This syntax is use to exclude a subzone and + Shorewall currently doesn't support subzones of the firewall + zone. + + + + + ERROR: Rule "<rule>" - Destination may not be + specified by MAC Address + + + Netfilter (and hence Shorewall) does not allow qualification + of a rule by destination source IP address. + + + + + ERROR: Destination interface not allowed with + <action> + + + The named <action> will be ACCEPT+ + or NONAT. These actions are inforced in part in the PREROUTING nat + chain where the destination interface is not yet known (because the + packet has not yet been routed). As a result, the DESTINATION column + may not contain an interface name. + + + + + ERROR: Only DNAT and REDIRECT rules may specify destination + mapping; rule "<rule>" + + + The <rule> specifies a server + address that is different from the ORIGINAL DEST address and/or it + specifies a server port that is different from the destination port + but the ACTION is neither DNAT[-] nor REJECT[-]. + + + + + ERROR: Empty source zone or qualifier: rule + "<rule>" + + + The SOURCE column is of one of the forms + <zone>:, + :<qualifier> or :. + + + + + ERROR: Exclude list only allowed with DNAT or + REDIRECT + + + In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the + form + <zone>:<net1>!<net2>. + This means <net1> in the + <zone> zone except + for <net2>. This syntax is not + available with other ACTIONs. + + + + + ERROR: Invalid use of a user-qualification: rule + "<rule>" + + + The USER/GROUP column may only have and entry if the SOURCE is + the firewall zone. + + + + + ERROR: Empty destination zone or qualifier: rule + "<rule>" + + + The DEST column is of one of the forms + <zone>:, + :<qualifier> or :. + + + + + ERROR: Undefined Client Zone in rule + "<rule>" + + + The zone given in the SOURCE column was not defined in + /etc/shorewall/zones. + + + + + ERROR: Undefined Server Zone in rule + "<rule>" + + + The zone given in the DEST column was not defined in + /etc/shorewall/zones. + + + + + ERROR: Rules may not override a NONE policy: rule + "<rule>" + + + If the policy from zone z1 to zone z2 is NONE that means that + Shorewall sets up no infrastructure to handle traffic from z1 to z2. + Consequently, you cannot have any rules that control traffic from z1 + to z2. + + + + + ERROR: Invalid Action in rule "<rule>" + + + The ACTION column contains an action that is not one of the + built-in actions and it is not defined in + /etc/shorewall/actions or in + /usr/share/shorewall/actions.std. + + + + + ERROR: Unable to determine the routes through interface + <interface> + + + You have specified <interface> in + the SUBNET column of /etc/shorewall/masq which + means that Shorewall is supposed to determine the network(s) routed + through that interface. To do that, Shorewall issues the command + ip addr ls dev <interface> and that command + failed. This usually means that you are trying to start Shorewall + before the <interface> is brought + up. + + + +
+ +
+ Warnings + + This sections describes some of the more warnings generated by + Shorewall. + + + + Warning: default route ignored on interface + <interface> + + + This means that the interface named in the SUBNET column of + /etc/shorewall/masq has the default route. This + almost always means that you have the contents of the INTERFACE and + SUBNET columns reversed. + + + +
+
\ No newline at end of file