mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 17:43:15 +01:00
Remove anachronisms from FAQ
This commit is contained in:
Tom Eastep
parent
0bd3b0c0af
commit
acf40290a5
78
docs/FAQ.xml
78
docs/FAQ.xml
@ -1600,20 +1600,6 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
and FORWARD chains which aren't traversed until later.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq56">
|
||||
<title>(FAQ 56) When I start or restart Shorewall, I see these messages
|
||||
in my log. Are they harmful?</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>modprobe: Can't locate module ipt_physdev
|
||||
modprobe: Can't locate module iptable_raw</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> No. These occur when
|
||||
Shorewall probes your system to determine the features that it support.
|
||||
They are completely harmless.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq81">
|
||||
<title>(FAQ 81) logdrop and logreject don't log.</title>
|
||||
|
||||
@ -1636,7 +1622,7 @@ modprobe: Can't locate module iptable_raw</programlisting>
|
||||
different ISPs. How do I set this up in Shorewall?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> See <ulink
|
||||
url="MultiISP.html">this article on Shorewall and Multiple
|
||||
url="MultiISP.html">this article about Shorewall and Multiple
|
||||
ISPs</ulink>.</para>
|
||||
</section>
|
||||
|
||||
@ -1699,38 +1685,6 @@ ERROR: Command "ip -4 rule add from all table 254 pref 999" Failed</programlisti
|
||||
<command>shorewall[-lite] clear</command> </quote> command.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq8">
|
||||
<title>(FAQ 8) When I try to start Shorewall on RedHat, I get messages
|
||||
about insmod failing -- what's wrong?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> The output you will see
|
||||
looks something like this:</para>
|
||||
|
||||
<programlisting>/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
|
||||
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
|
||||
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
|
||||
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
|
||||
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
|
||||
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
|
||||
Perhaps iptables or your kernel needs to be upgraded.</programlisting>
|
||||
|
||||
<para>This problem is usually corrected through the following sequence
|
||||
of commands</para>
|
||||
|
||||
<programlisting><command>service ipchains stop
|
||||
chkconfig --delete ipchains
|
||||
rmmod ipchains</command></programlisting>
|
||||
|
||||
<section id="faq8a">
|
||||
<title>(FAQ 8a) When I try to start Shorewall on RedHat I get a
|
||||
message referring me to FAQ #8</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> This is usually cured
|
||||
by the sequence of commands shown above in <xref
|
||||
linkend="faq8" />.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="faq9">
|
||||
<title>(FAQ 9) Why can't Shorewall detect my interfaces properly at
|
||||
startup?</title>
|
||||
@ -1873,16 +1827,6 @@ iptables: Invalid argument
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section id="faq62">
|
||||
<title>(FAQ 62) I have unexplained 30-second pauses during "shorewall
|
||||
[re]start". What causes that?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> This usually happens when
|
||||
the firewall uses LDAP Authentication. The solution is to list your LDAP
|
||||
server(s) as <emphasis role="bold">critical</emphasis> in <ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq68">
|
||||
<title>(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of
|
||||
the following message:</title>
|
||||
@ -1892,7 +1836,7 @@ iptables: Invalid argument
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> At a root shell prompt,
|
||||
type the iptables command shown in the error message. If the command
|
||||
fails, you OpenVZ Netfilter/iptables configuration is incorrect. Until
|
||||
fails, your OpenVZ Netfilter/iptables configuration is incorrect. Until
|
||||
that command can run without error, no stateful iptables firewall will
|
||||
be able to run in your VM.</para>
|
||||
</section>
|
||||
@ -1962,7 +1906,7 @@ iptables: Invalid argument
|
||||
traffic is blocked for hosts behind the firewall trying to connect out
|
||||
onto the net or through the vpn (although i can reach the internal
|
||||
firewall interface and obtain dumps etc). Once I issue 'shorewall clear'
|
||||
followed by 'shorewall restart' it then works, despite the config not
|
||||
followed by 'shorewall start' it then works, despite the config not
|
||||
changing</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> Set IP_FORWARDING=On in
|
||||
@ -2040,6 +1984,8 @@ We have an error talking to the kernel
|
||||
you may be able to resolve the problem by loading the <emphasis
|
||||
role="bold">act_police</emphasis> kernel module. Other kernel modules
|
||||
that you will need include:<simplelist>
|
||||
<member>cls_fw</member>
|
||||
|
||||
<member>cls_u32</member>
|
||||
|
||||
<member>sch_htb</member>
|
||||
@ -2138,11 +2084,9 @@ We have an error talking to the kernel
|
||||
broadcast address as the source address?</term>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Answer:</emphasis> Shorewall can be
|
||||
configured to do that using the <ulink
|
||||
url="blacklisting_support.htm">blacklisting</ulink> facility.
|
||||
Shorewall versions 2.0.0 and later filter these packets under the
|
||||
<firstterm>nosmurfs</firstterm> interface option in <ulink
|
||||
<para><emphasis role="bold">Answer:</emphasis> Shorwall filters
|
||||
these packets under the <firstterm>nosmurfs</firstterm> interface
|
||||
option in <ulink
|
||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -2162,11 +2106,7 @@ We have an error talking to the kernel
|
||||
<term>DOS: - SYN Dos - ICMP Dos - Per-host Dos protection</term>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Answer:</emphasis> Shorewall has
|
||||
facilities for limiting SYN and ICMP packets. Netfilter as
|
||||
included in standard Linux kernels doesn't support per-remote-host
|
||||
limiting except by explicit rule that specifies the host IP
|
||||
address; that form of limiting is supported by Shorewall.</para>
|
||||
<para><emphasis role="bold">Answer:</emphasis> Yes.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user