Shorewall TroubleshootingBeating head on table

"If you think you can you can; if you think you can't you're right.
If you don't believe that you can, why should someone else?" -- Gunnar Tapper

Check the Errata

Check the Shorewall Errata to be sure that there isn't an update that you are missing for your version of the firewall.

Check the FAQs

Check the FAQs for solutions to common problems.

If the firewall fails to start

If you receive an error message when starting or restarting the firewall and you can't determine the cause, then do the following: Here's an example. During startup, a user sees the following:
Adding Common Rules
iptables: No chain/target/match by that name
Terminated
A search through the trace for "No chain/target/match by that name" turned up the following: 
+ echo 'Adding Common Rules'
+ add_common_rules
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
++ sed 's/!/! /g'
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with tcp-reset". In this case, the user had compiled his own kernel and had forgotten to include REJECT target support (see kernel.htm)

Your network environment

Many times when people have problems with Shorewall, the problem is actually an ill-conceived network setup. Here are several popular snafus:

If you are having connection problems:

If the appropriate policy for the connection that you are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter to your rule set and they represent a big security hole in the event that you forget to remove them later.

I also recommend against setting all of your policies to ACCEPT in an effort to make something work. That robs you of one of your best diagnostic tools - the "Shorewall" messages that Netfilter will generate when you try to connect in a way that isn't permitted by your rule set.

Check your log ("/sbin/shorewall show log"). If you don't see Shorewall messages, then your problem is probably NOT a Shorewall problem. If you DO see packet messages, it may be an indication that you are missing one or more rules -- see FAQ 17.

While you are troubleshooting, it is a good idea to clear two variables in /etc/shorewall/shorewall.conf:

LOGRATE=""
LOGBURST=""

This way, you will see all of the log messages being generated (be sure to restart shorewall after clearing these variables).

Example:

Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

Let's look at the important parts of this message:

In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 is in the "loc" zone. I was missing the rule:

ACCEPT    dmz    loc    udp    53

See FAQ 17 for additional information about how to interpret the chain name appearing in a Shorewall log message.

'Ping' Problems?

Either can't ping when you think you should be able to or are able to ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management is described here.

Other Gotchas

Still Having Problems?

See the support page.

Last updated 8/29/2003 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.