Shorewall Support GuideTomEastep2001-2006Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.Problem reports that do not include the information requested in
the Problem Reporting Guidelines
below will not be answered by the Shorewall
author.This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.Before Reporting a Problem or Asking a QuestionThere are a number of sources of Shorewall information. Please try
these before you post.The two currently-supported Shorewall major releases are 3.0 and 3.2.Shorewall versions earlier than 3.0.0 are no longer supported;
we will try to help but I will personally not spend time reading
earlier code to try to help you solve a problem.More than half of the questions posted on the support list have
answers directly accessible from the Documentation IndexThe FAQ has solutions to more than
50 common problems.The Troubleshooting
Information contains a number of tips to help you solve common
problems.Problem Reporting GuidelinesPlease refer to the following flowchart to guide you through the
problem reporting process.Please don't use distribution specific
programs like "service" or init scripts to start/restart Shorewall
while trying to solve a problem, just follow carefully the
instructions below.As a general matter, please do not edit
the diagnostic information in an attempt to conceal your IP
address, netmask, nameserver addresses, domain name, etc. These
aren't secrets, and concealing them
often misleads us (and 80% of the time, a cracker could derive them
anyway from information contained in the SMTP headers of your
post).If your problem is that an error occurs when you try to
shorewall start or if Shorewall is
otherwise failing to start properly, then please:
/sbin/shorewall trace start 2> /tmp/traceForward the /tmp/trace file as an
attachment compressed with gzip or bzip2.If you are running Shorewall version 3.2.0 or later and
compilation succeeds but the compiled program fails, then please
include the compiled program with your report. The compiled program
will be named /var/lib/shorewall/.start if the
command is shorewall start and it will be named
/var/lib/shorewall/.restart if the command is
shorewall restart.
If you are unsure if Shorewall is starting successfully or not
then first note that if Shorewall starts successfully, the last
message produced by Shorewall 3.0 is "Shorewall Started" and the last
message produced by Shorewall 3.2 in "done.":
If you are seeing this message then Shorewall is starting
successfully.If you are still unsure if Shorewall is starting or not, enter
the following command:
/sbin/shorewall status
If Shorewall has started successfully, you will see output
similar to this:
Shorewall-3.0.6 Status at gateway - Thu Mar 30 14:07:29 PDT 2006
Shorewall is running
State:Started (Thu Mar 30 14:07:29 PDT 2006)
If Shorewall has not started properly, you will see output
similar to this:
Shorewall-3.0.6 Status at gateway - Thu Mar 30 14:08:11 PDT 2006
Shorewall is stopped
State:Stopped (Thu Mar 30 14:08:11 PDT 2006)
The "State:" refers to the Shorewall State
Diagram.If Shorewall is starting successfully and your problem is that
some set of connections to/from or
through your firewall isn't working
(examples: local systems can't access the internet, you can't send
email through the firewall, you can't surf the web from the firewall,
etc.) or you are having problems with traffic
shaping then please perform the following six steps:If Shorewall isn't started then /sbin/shorewall
start. Otherwise /sbin/shorewall
reset.Try making the connection that is failing./sbin/shorewall dump >
/tmp/status.txtPost the /tmp/status.txt file as an
attachment compressed with gzip or bzip2.Describe where you are trying to make the connection from
(IP address) and what host (IP address) you are trying to connect
to.Otherwise:Shorewall is starting successfuly and you have no connection problems and you have no traffic shaping problems. Your problem is
with performance, logging, etc. Please include the following:the exact version of Shorewall you are running./sbin/shorewall versionthe complete exact output ofip addr showthe complete exact output ofip route showA detailed description of your problem.Please remember we only know what is posted in your message. Do
not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by
people who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics where
detail is lacking.Please keep in mind that you're asking for free technical support. Any help we offer is an
act of generosity, not an obligation. Try to
make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. Exact quoting of error messages,
log entries, command output, and other output is better than a
paraphrase or summary.Please give details about what doesn't work. Reports that say
I followed the directions and it didn't work may elicit
sympathy but probably little in the way of help. Again -- if ping from
A to B fails, say so (and see below for information about reporting
ping problems). If Computer B doesn't show up in
Network Neighborhood then say so. If access by IP
address works but by DNS names it doesn't then say so.Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.Please do NOT include the output of iptables
-L — the output of shorewall
show or shorewall status is much more
useful.Do you see any Shorewall messages
(/sbin/shorewall show log) when you
exercise the function that is giving you problems? If so, include the
message(s) in your post along with a copy of your
/etc/shorewall/interfaces file (and /etc/shorewall/hosts file if you
have entries in that file).Please DO NOT INCLUDE SHOREWALL
CONFIGURATION FILES unless you have specifically asked to
do so. The output of shorewall dump collected as
described above is much more useful.The list server limits the size of posts
to the lists, so don't post graphics of your network layout, etc. to
the Mailing List -- your post will be rejected.The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by Ray
Olszewski found here.When using the mailing list, please post in plain textA growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net for continuous abuse because it has been my
policy to allow HTML in list posts!!I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately These e-mail admin's need to get a
(expletive deleted) life instead of trying to rid the planet of HTML based
e-mail. Nevertheless, to allow subscribers to receive list posts
as must as possible, I have now configured the list server at
shorewall.net to convert all HTML to plain text. Sometimes the conversion
process fails in which case, the post sent to the list is empty. Even when
conversion succeeds, the converted post is difficult to read so all of us
will appreciate it if you just post in plain text to begin with.Where to Send your Problem Report or to Ask for HelpIf you run the current development release and
your question involves a feature that is only available in the development
release (see the Shorewall
Release Model page) -- please post your question or problem to the
Shorewall
Development Mailing List. IMPORTANT: You must subscribe to the list before
you will be able to post to it (see link below).If you run Shorewall under MandrivaSoft Multi
Network Firewall (MNF) and you have not purchased an MNF license from
MandrivaSoft then you can post non MNF-specific Shorewall questions to the
Shorewall users
mailing list. Do not expect to get free MNF support on the
list.Otherwise, please post your question or problem to the Shorewall users mailing
list. IMPORTANT: You must
subscribe to the list before you will be able to post to it (see link
below).Please read the list usage
instructions (found on the information page for each list)
before posting.For quick questions, there is also
a #shorewall channel at irc.freenode.net.Subscribing to the Users Mailing ListTo Subscribe to the users mailing list go to https://lists.sourceforge.net/lists/listinfo/shorewall-users.Subscribing to the Announce Mailing ListTo Subscribe to the announce mailing list (low-traffic,read only) go
to:https://lists.sourceforge.net/lists/listinfo/shorewall-announceSubscribing to the Development Mailing ListTo Subscribe to the development mailing list go to https://lists.sourceforge.net/lists/listinfo/shorewall-devel.Other Mailing ListsFor information on other Shorewall mailing lists, go to http://sourceforge.net/mail/?group_id=22587
.