From acf40290a517ae27601f9079b4cb86b549601f1c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 26 May 2009 07:19:49 -0700 Subject: [PATCH] Remove anachronisms from FAQ --- docs/FAQ.xml | 78 ++++++---------------------------------------------- 1 file changed, 9 insertions(+), 69 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index a66eb2671..8c6a088a0 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1600,20 +1600,6 @@ teastep@ursa:~$ The first number determines the maximum log and FORWARD chains which aren't traversed until later. -
- (FAQ 56) When I start or restart Shorewall, I see these messages - in my log. Are they harmful? - -
- modprobe: Can't locate module ipt_physdev -modprobe: Can't locate module iptable_raw -
- - Answer: No. These occur when - Shorewall probes your system to determine the features that it support. - They are completely harmless. -
-
(FAQ 81) logdrop and logreject don't log. @@ -1636,7 +1622,7 @@ modprobe: Can't locate module iptable_raw different ISPs. How do I set this up in Shorewall? Answer: See this article on Shorewall and Multiple + url="MultiISP.html">this article about Shorewall and Multiple ISPs.
@@ -1699,38 +1685,6 @@ ERROR: Command "ip -4 rule add from all table 254 pref 999" Failedshorewall[-lite] clear command. -
- (FAQ 8) When I try to start Shorewall on RedHat, I get messages - about insmod failing -- what's wrong? - - Answer: The output you will see - looks something like this: - - /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy -Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed -iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) -Perhaps iptables or your kernel needs to be upgraded. - - This problem is usually corrected through the following sequence - of commands - - service ipchains stop -chkconfig --delete ipchains -rmmod ipchains - -
- (FAQ 8a) When I try to start Shorewall on RedHat I get a - message referring me to FAQ #8 - - Answer: This is usually cured - by the sequence of commands shown above in . -
-
-
(FAQ 9) Why can't Shorewall detect my interfaces properly at startup? @@ -1873,16 +1827,6 @@ iptables: Invalid argument
-
- (FAQ 62) I have unexplained 30-second pauses during "shorewall - [re]start". What causes that? - - Answer: This usually happens when - the firewall uses LDAP Authentication. The solution is to list your LDAP - server(s) as critical in /etc/shorewall/routestopped. -
-
(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of the following message: @@ -1892,7 +1836,7 @@ iptables: Invalid argument Answer: At a root shell prompt, type the iptables command shown in the error message. If the command - fails, you OpenVZ Netfilter/iptables configuration is incorrect. Until + fails, your OpenVZ Netfilter/iptables configuration is incorrect. Until that command can run without error, no stateful iptables firewall will be able to run in your VM.
@@ -1962,7 +1906,7 @@ iptables: Invalid argument traffic is blocked for hosts behind the firewall trying to connect out onto the net or through the vpn (although i can reach the internal firewall interface and obtain dumps etc). Once I issue 'shorewall clear' - followed by 'shorewall restart' it then works, despite the config not + followed by 'shorewall start' it then works, despite the config not changing Answer: Set IP_FORWARDING=On in @@ -2040,6 +1984,8 @@ We have an error talking to the kernel you may be able to resolve the problem by loading the act_police kernel module. Other kernel modules that you will need include: + cls_fw + cls_u32 sch_htb @@ -2138,11 +2084,9 @@ We have an error talking to the kernel broadcast address as the source address? - Answer: Shorewall can be - configured to do that using the blacklisting facility. - Shorewall versions 2.0.0 and later filter these packets under the - nosmurfs interface option in Answer: Shorwall filters + these packets under the nosmurfs interface + option in /etc/shorewall/interfaces. @@ -2162,11 +2106,7 @@ We have an error talking to the kernel DOS: - SYN Dos - ICMP Dos - Per-host Dos protection - Answer: Shorewall has - facilities for limiting SYN and ICMP packets. Netfilter as - included in standard Linux kernels doesn't support per-remote-host - limiting except by explicit rule that specifies the host IP - address; that form of limiting is supported by Shorewall. + Answer: Yes.