mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-30 03:23:47 +01:00
109b948d42
to happend anymore. :) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
867 lines
30 KiB
XML
867 lines
30 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall Error Messages</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2004</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>Shorewall can produce a wide variety of error messages when a
|
|
problem is detected with your configuration. This article attempts to
|
|
explain the cause of and cures for some of these messages.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Messages Produced by /sbin/shorewall</title>
|
|
|
|
<para>Some error messages are produced by the /sbin/shorewall utility.
|
|
These messages are detailed in this section.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ERROR: <label> must specify a simple file name:
|
|
<name></term>
|
|
|
|
<listitem>
|
|
<para>This means that you have specified a restore file name with a
|
|
"/". Restore files must be simple file names with no slashes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Shorewall is not properly installed</term>
|
|
|
|
<listitem>
|
|
<para>The files <filename>/usr/share/shorewall/firewall</filename>
|
|
and/or <filename>/usr/share/shorewall/version</filename> do not
|
|
exist.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: <file name> exists and is not a saved Shorewall
|
|
configuration</term>
|
|
|
|
<listitem>
|
|
<para>The named file in <filename>/var/lib/shorewall</filename>
|
|
exists but is not executable.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Reserved file name: <file name></term>
|
|
|
|
<listitem>
|
|
<para>You have specified either <filename>save</filename> or
|
|
<filename>restore-base</filename> as the name of a restore file --
|
|
those names are reserved for use by Shorewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Currently-running Configuration Not Saved</term>
|
|
|
|
<listitem>
|
|
<para>During processing of a <command>shorewall save</command>
|
|
command, the <command>iptables-save</command> command failed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: /var/lib/shorewall/restore-base does not exist</term>
|
|
|
|
<listitem>
|
|
<para>The <command>shorewall start</command> and <command>shorewall
|
|
restart</command> commands create a file called
|
|
<filename>/var/lib/shorewall/restore-base</filename> which forms the
|
|
basis for creating a restore file using <command>shorewall
|
|
save</command>. This error message is issued when <command>shorewall
|
|
save</command> is not able to find that file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The program specified in IPTABLES does not exist or is
|
|
not executable</term>
|
|
|
|
<listitem>
|
|
<para>The IPTABLES option in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> specifies a file
|
|
that is not executable.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Can't find iptables executable</term>
|
|
|
|
<listitem>
|
|
<para>There is no executable file named "iptables" in any directory
|
|
in $PATH.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The program specified in SHOREWALL_SHELL does not exist
|
|
or is not executable</term>
|
|
|
|
<listitem>
|
|
<para>The SHOREWALL_SHELL option in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> names does not
|
|
name an executable file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: /var/lib/shorewall/<file> exists and is not a saved
|
|
Shorewall configuration</term>
|
|
|
|
<listitem>
|
|
<para>The restore file (<file>) specified or implied in a
|
|
<command>shorewall save</command> command already exists but is not
|
|
executable (and hence cannot be a value restore file). Either
|
|
remove/rename the file or specify a different file name.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Messages Produced by /usr/share/shorewall/firewall</title>
|
|
|
|
<para>The program <filename>/usr/share/shorewall/firewall</filename> is
|
|
responsible for parsing the Shorewall configuration files and for creating
|
|
and changing the Netfilter configuration. Some of the error messages
|
|
generated by this program are listed below.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ERROR: Invalid nested zone syntax: :<parent-zone></term>
|
|
|
|
<listitem>
|
|
<para>The zone name in the ZONE column of
|
|
<filename>/etc/shorewall/zones</filename> may not start with a colon
|
|
(":").</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Sub-zones of the firewall zone are not allowed</term>
|
|
|
|
<listitem>
|
|
<para>The firewall zone may not be defined to have zones nested
|
|
within it.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Parent zone not defined: <parent-zone></term>
|
|
|
|
<listitem>
|
|
<para>When defining nested zones in
|
|
<filename>/etc/shorewall/zones</filename>, the parent zone must be
|
|
defined before any zones nested inside of it.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Zone name longer than 5 characters: <zone></term>
|
|
|
|
<listitem>
|
|
<para>Zone names are restricted to 5 characters or less in
|
|
length.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Illegal zone name "<zone>" in zones file</term>
|
|
|
|
<listitem>
|
|
<para>The zone name quoted in the error message begins with a digit
|
|
-- zone names must begin with an alphabetic character.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Reserved zone name "<zone>" in zones file</term>
|
|
|
|
<listitem>
|
|
<para>The names "none" and "all" are reserved and may not be used as
|
|
zone names in <filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Zone <zone> is defined more than once</term>
|
|
|
|
<listitem>
|
|
<para>There are two records in
|
|
<filename>/etc/shorewall/zones</filename> that define the named
|
|
zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Your kernel and/or iptables does not support policy
|
|
match</term>
|
|
|
|
<listitem>
|
|
<para>You have defined a zone of type <emphasis
|
|
role="bold">ipsec</emphasis> in
|
|
<filename>/etc/shorewall/zones</filename> or have specified the
|
|
ipsec option in an <filename>/etc/shorewall/hosts</filename> record
|
|
but your kernel and/or iptables don't include policy match support
|
|
-- see <ulink url="IPSEC-2.6.html">this article</ulink> for
|
|
details.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The firewall zone may not be nested</term>
|
|
|
|
<listitem>
|
|
<para>You have defined a zone of type <emphasis
|
|
role="bold">firewall</emphasis> to be nested inside another zone.
|
|
Shorewall does not support such nesting.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: OPTIONS not allowed on the firewall zone</term>
|
|
|
|
<listitem>
|
|
<para>The zone of type <emphasis role="bold">firewall</emphasis> may
|
|
not have any options specified in the OPTIONS, IN OPTIONS or OUT
|
|
OPTIONS columns of <filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Only one firewall zone may be defined</term>
|
|
|
|
<listitem>
|
|
<para>You may have only one record in
|
|
<filename>/etc/shorewall/zones</filename> that has type <emphasis
|
|
role="bold">firewall</emphasis>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: No ipv4 or ipsec Zones Defined</term>
|
|
|
|
<listitem>
|
|
<para>You must define at least one ipv4 or ipsec zone in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: No Firewall Zone Defined</term>
|
|
|
|
<listitem>
|
|
<para>You must define one (and only one) zone if type <emphasis
|
|
role="bold">firewall</emphasis> in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid Mark or Mask value: <number></term>
|
|
|
|
<listitem>
|
|
<para>Shorewall-assigned packet and connection marks are limited to
|
|
the range 1-255.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid zone definition for zone <zone></term>
|
|
|
|
<listitem>
|
|
<para>The zone named in the message is defined to be associated with
|
|
an interface in <filename>/etc/shorewall/interfaces</filename> yet
|
|
it also has an entry for that same interface in
|
|
<filename>/etc/shorewall/hosts</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid zone (<zone>) in record
|
|
"<record>"</term>
|
|
|
|
<listitem>
|
|
<para>The zone named in the ZONE column of the listed record from
|
|
<filename>/etc/shorewall/interfaces</filename> or
|
|
<filename>/etc/shorewall/hosts</filename> is not defined in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The routeback option may not be specified on a multi-zone
|
|
interface</term>
|
|
|
|
<listitem>
|
|
<para>The ZONE column of a record in
|
|
<filename>/etc/shorewall/interfaces</filename> was empty ("-"). Such
|
|
interfaces may not specify the <emphasis
|
|
role="bold">routeback</emphasis> option.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The "detectnets" option may not be used with a wild-card
|
|
interface</term>
|
|
|
|
<listitem>
|
|
<para>The interface name in the INTERFACE column is a wild-card
|
|
(ends with "+"). Such interfaces may not specify the <emphasis
|
|
role="bold">detectnets</emphasis> option.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Duplicate Interface <interface></term>
|
|
|
|
<listitem>
|
|
<para>The named interface has two entries in
|
|
<filename>/etc/shorewall/interfaces</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid Interface Name: <interface></term>
|
|
|
|
<listitem>
|
|
<para>The interface name contains a colon (":") or is "+". If the
|
|
name includes a ":", you probably need to read <ulink
|
|
url="Shorewall_and_Aliased_Interfaces.xml">this
|
|
article</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: The 'norfc1918' option may not be specified on an
|
|
interface with an RFC 1918 address. Interface:
|
|
<interface></term>
|
|
|
|
<listitem>
|
|
<para>The <interface> named in the message is configured with
|
|
an IP address that is reserved by RFC 1918 -- that address is
|
|
incompatible with the <emphasis role="bold">norfc1918</emphasis>
|
|
interface option.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Unknown interface (<interface>) in record
|
|
"<record>"</term>
|
|
|
|
<listitem>
|
|
<para>The <emphasis><interface></emphasis> name listed in the
|
|
<emphasis><record></emphasis> from
|
|
<filename>/etc/shorewall/hosts</filename> was not defined in
|
|
<filename>/etc/shorewall/interfaces</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid HOST(S) column contents: <hosts></term>
|
|
|
|
<listitem>
|
|
<para>The contests of the HOST(S) column in a record from
|
|
<filename>/etc/shorewall/hosts</filename> does not follow the proper
|
|
syntax for that column in that it doesn't contain at least one colon
|
|
(":"). See the <ulink
|
|
url="Documentation.htm#Hosts">/etc/shorewall/hosts
|
|
documentation</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Bridged interfaces may not be defined in
|
|
/etc/shorewall/interfaces: <interface>[:<address>]</term>
|
|
|
|
<listitem>
|
|
<para>The named interface appears in /etc/shorewall/hosts and
|
|
appears as a bridge port (after a colon) but is also defined in
|
|
<filename>/etc/shorewall/interfaces</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Undefined zone <zone></term>
|
|
|
|
<listitem>
|
|
<para>The named zone appears in the /etc/shorewall/policy file but
|
|
not in the /etc/shorewall/zones file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: <policy record>: NONE policy not allowed to/from
|
|
the <firewall-zone-name> zone</term>
|
|
|
|
<listitem>
|
|
<para>Shorewall does not support a policy of NONE when the source or
|
|
destination zone is the firewall itself.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: <policy record>: NONE policy not allowed with
|
|
"all"</term>
|
|
|
|
<listitem>
|
|
<para>Shorewall does not support a policy of NONE when the source or
|
|
destination zone is "all".</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Duplicate policy: <source zone> <destination
|
|
zone> <policy> </term>
|
|
|
|
<listitem>
|
|
<para>There is an earlier record in the file with the same
|
|
<source zone> and <destination zone></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Can't determine the IP address of
|
|
<interface></term>
|
|
|
|
<listitem>
|
|
<para>You have specified DETECT_DNAT_ADDRS=Yes in
|
|
/etc/shorewall/shorewall.conf and Shorewall is unablee to determine
|
|
the IP address of the named <emphasis><interface></emphasis>.
|
|
Be sure that the interface is started before starting Shorewall or
|
|
set DETECT_DNAT_ADDRS=No.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid gateway zone (<zone>) -- Tunnel
|
|
"<record></term>
|
|
|
|
<listitem>
|
|
<para>The listed <emphasis><zone></emphasis> name appears in
|
|
the GATEWAY ZONE column of the listed
|
|
<emphasis><record></emphasis> from
|
|
<filename>/etc/shorewall/tunnels</filename> but is not defined in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: No hosts on <interface> have the maclist option
|
|
specified</term>
|
|
|
|
<listitem>
|
|
<para>The named <emphasis><interface></emphasis> appears in a
|
|
record in <filename>/etc/shorewall/maclist</filename> yet that
|
|
interface's record in <filename>/etc/shorewall/interfaces</filename>
|
|
does not specify the <emphasis role="bold">maclist</emphasis> option
|
|
and no record in <filename>/etc/shorewall/hosts</filename> that
|
|
names that interface includes the <emphasis
|
|
role="bold">maclist</emphasis> option.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Interface <interface> must be up before Shorewall
|
|
can start</term>
|
|
|
|
<listitem>
|
|
<para>You have specified the <emphasis
|
|
role="bold">maclist</emphasis> option for this interface but the
|
|
command <command>ip list show <interface></command>
|
|
fails.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Unknown interface <interface></term>
|
|
|
|
<listitem>
|
|
<para>The interface appears in a configuration file but is not
|
|
defined in <filename>/etc/shorewall/interfaces</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: BRIDGING=Yes requires Physdev Match support in your
|
|
Kernel and iptables</term>
|
|
|
|
<listitem>
|
|
<para>You have set BRIDGING=Yes in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> but it appears
|
|
that your kernel and/or iptables do not have physdev match
|
|
support.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid Action Name: <action></term>
|
|
|
|
<listitem>
|
|
<para>The <action> contains one of the following characters:
|
|
".", "-", or "%". Those characters are not allowed in an action
|
|
name.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid Macro Parameter in rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The value being passed to a parameterized macro is not ACCEPT,
|
|
DROP, REJECT, LOG, QUEUE or CONTINUE.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Missing Action File: action.<action name></term>
|
|
|
|
<listitem>
|
|
<para>The specified <action name> has an entry in
|
|
<filename>/usr/share/shorewall/actions.std</filename> or in
|
|
<filename>/etc/shorewall/actions</filename> but the corresponding
|
|
action file does not exist on the CONFIG_PATH.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Unknown interface <interface> in rule:
|
|
"<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>You have BRIDGING=No in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> and the
|
|
<emphasis><interface></emphasis> given in a rule does not
|
|
match an entry in
|
|
<filename>/etc/shorewall/interfaces</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: SNAT may no longer be specified in a DNAT rule; use
|
|
/etc/shorewall/masq instead</term>
|
|
|
|
<listitem>
|
|
<para>In earlier Shorewall versions, the ORIGINAL DEST column
|
|
allowed following the original destination IP address with ":" and
|
|
an address to use as the source of the forwarded connection request.
|
|
Now that /etc/shorewall/masq supports qualification of SNAT rules by
|
|
protocol and port, this feature is no longer required and has been
|
|
deimplemented.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: "Invalid Source in rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The SOURCE column has the firewall zone name immediately
|
|
followed by "!". This syntax is use to exclude a subzone and
|
|
Shorewall currently doesn't support subzones of the firewall
|
|
zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Rule "<rule>" - Destination may not be specified by
|
|
MAC Address</term>
|
|
|
|
<listitem>
|
|
<para>Netfilter (and hence Shorewall) does not allow qualification
|
|
of a rule by destination source IP address.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Destination interface not allowed with
|
|
<action></term>
|
|
|
|
<listitem>
|
|
<para>The named <emphasis><action></emphasis> will be ACCEPT+
|
|
or NONAT. These actions are inforced in part in the PREROUTING nat
|
|
chain where the destination interface is not yet known (because the
|
|
packet has not yet been routed). As a result, the DESTINATION column
|
|
may not contain an interface name.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Only DNAT and REDIRECT rules may specify destination
|
|
mapping; rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The <emphasis><rule></emphasis> specifies a server
|
|
address that is different from the ORIGINAL DEST address and/or it
|
|
specifies a server port that is different from the destination port
|
|
but the ACTION is neither DNAT[-] nor REJECT[-].</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Empty source zone or qualifier: rule
|
|
"<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The SOURCE column is of one of the forms
|
|
<emphasis><zone></emphasis>:,
|
|
:<emphasis><qualifier></emphasis> or :.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Exclude list only allowed with DNAT or REDIRECT</term>
|
|
|
|
<listitem>
|
|
<para>In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the
|
|
form
|
|
<emphasis><zone></emphasis>:<emphasis><net1></emphasis>!<emphasis><net2></emphasis>.
|
|
This means <emphasis><net1></emphasis> in the
|
|
<emphasis><zone></emphasis> zone <emphasis role="bold">except
|
|
for</emphasis> <emphasis><net2></emphasis>. This syntax is not
|
|
available with other ACTIONs.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid use of a user-qualification: rule
|
|
"<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The USER/GROUP column may only have and entry if the SOURCE is
|
|
the firewall zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Empty destination zone or qualifier: rule
|
|
"<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The DEST column is of one of the forms
|
|
<emphasis><zone></emphasis>:,
|
|
:<emphasis><qualifier></emphasis> or :.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Undefined Client Zone in rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The zone given in the SOURCE column was not defined in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Undefined Server Zone in rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The zone given in the DEST column was not defined in
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Rules may not override a NONE policy: rule
|
|
"<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>If the policy from zone z1 to zone z2 is NONE that means that
|
|
Shorewall sets up no infrastructure to handle traffic from z1 to z2.
|
|
Consequently, you cannot have any rules that control traffic from z1
|
|
to z2.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Invalid Action in rule "<rule>"</term>
|
|
|
|
<listitem>
|
|
<para>The ACTION column contains an action that is not one of the
|
|
built-in actions and it is not defined in
|
|
<filename>/etc/shorewall/actions</filename> or in
|
|
<filename>/usr/share/shorewall/actions.std</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: Unable to determine the routes through interface
|
|
<interface></term>
|
|
|
|
<listitem>
|
|
<para>You have specified <emphasis><interface></emphasis> in
|
|
the SUBNET column of <filename>/etc/shorewall/masq</filename> which
|
|
means that Shorewall is supposed to determine the network(s) routed
|
|
through that interface. To do that, Shorewall issues the command
|
|
<command>ip addr ls dev <interface></command> and that command
|
|
failed. This usually means that you are trying to start Shorewall
|
|
before the <emphasis><interface></emphasis> is brought
|
|
up.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ERROR: No appropriate chain for zone <z1> to zone
|
|
<z2></term>
|
|
|
|
<listitem>
|
|
<para>There is no policy defined in
|
|
<filename>/etc/shorewall/policy</filename> for connections from zone
|
|
<emphasis><z1></emphasis> to zone
|
|
<emphasis><z2></emphasis>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Warnings</title>
|
|
|
|
<para>This sections describes some of the more common warnings generated
|
|
by Shorewall.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Warning: default route ignored on interface
|
|
<interface></term>
|
|
|
|
<listitem>
|
|
<para>This means that the interface named in the SUBNET column of
|
|
<filename>/etc/shorewall/masq</filename> has the default route. This
|
|
almost always means that you have the contents of the INTERFACE and
|
|
SUBNET columns reversed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Warning: Zone <zone> is empty</term>
|
|
|
|
<listitem>
|
|
<para>This warning alerts you to the fact tha <zone> is
|
|
defined in <filename>/etc/shorewall/zones</filename> but has no
|
|
corresponding entries in
|
|
<filename>/etc/shorewall/interfaces</filename> or in
|
|
<filename>/etc/shorewall/hosts</filename>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>WARNING: Shorewall startup is disabled. To enable startup, set
|
|
STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf</term>
|
|
|
|
<listitem>
|
|
<para>If you need help understanding that warning message then you
|
|
probably need to take up another hobby or line of work.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Iptables Error Messages</title>
|
|
|
|
<para>By far the most asked about iptables error messages are:</para>
|
|
|
|
<glosslist>
|
|
<glossentry>
|
|
<glossterm>iptables: No chain/target/match by that name</glossterm>
|
|
|
|
<glossdef>
|
|
<para>This almost always means that you are trying to use a
|
|
Shorewall feature that your iptables and/or kernel do not support.
|
|
Beginning with version 2.2.0, Shorewall follows this message with a
|
|
copy of the iptables command that is failing. Most commonly, the
|
|
problem is that one of the match types (keyword following "-m" in
|
|
the command) isn't supported by your iptables/kernel. The output of
|
|
"shorewall show capabilities" shows you what your iptables/kernel
|
|
support:</para>
|
|
|
|
<programlisting>gateway:~# shorewall show capabilities
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
<emphasis role="bold"> NAT: Available
|
|
Packet Mangling: Available
|
|
Multi-port Match: Available
|
|
Extended Multi-port Match: Available
|
|
Connection Tracking Match: Available
|
|
Packet Type Match: Available
|
|
Policy Match: Available
|
|
Physdev Match: Available
|
|
IP range Match: Available
|
|
Recent Match: Available
|
|
Owner Match: Available
|
|
Ipset Match: Available
|
|
ROUTE Target: Not available
|
|
Extended MARK Target: Available
|
|
CONNMARK Target: Available
|
|
Connmark Match: Available</emphasis>
|
|
<emphasis role="bold">Raw Table: Available</emphasis>
|
|
gateway:~#</programlisting>
|
|
</glossdef>
|
|
</glossentry>
|
|
|
|
<glossentry>
|
|
<glossterm>iptables: invalid argument</glossterm>
|
|
|
|
<glossdef>
|
|
<para>Answer: 99.999% of the time, this error is caused by a
|
|
mismatch between your iptables and kernel.</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Your iptables must be compiled against a kernel source
|
|
tree that is Netfilter-compatible with the kernel that you are
|
|
running.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you rebuild iptables using the defaults and install it,
|
|
it will be installed in /usr/local/sbin/iptables. As shown
|
|
above, you have the IPTABLES variable in shorewall.conf set to
|
|
"/sbin/iptables".</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</glossdef>
|
|
</glossentry>
|
|
</glosslist>
|
|
</section>
|
|
</article> |