holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove anachronisms from FAQ

Browse Source
This commit is contained in:
Tom Eastep 2009-05-26 07:19:49 -07:00
parent 0bd3b0c0af
commit acf40290a5
1 changed files with 9 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
docs/FAQ.xml
View File

@ -1600,20 +1600,6 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
and FORWARD chains which aren't traversed until later.</para> and FORWARD chains which aren't traversed until later.</para>
</section> </section>
<section id="faq56">
<title>(FAQ 56) When I start or restart Shorewall, I see these messages
in my log. Are they harmful?</title>
<blockquote>
<programlisting>modprobe: Can't locate module ipt_physdev
modprobe: Can't locate module iptable_raw</programlisting>
</blockquote>
<para><emphasis role="bold">Answer:</emphasis> No. These occur when
Shorewall probes your system to determine the features that it support.
They are completely harmless.</para>
</section>
<section id="faq81"> <section id="faq81">
<title>(FAQ 81) logdrop and logreject don't log.</title> <title>(FAQ 81) logdrop and logreject don't log.</title>
@ -1636,7 +1622,7 @@ modprobe: Can't locate module iptable_raw</programlisting>
different ISPs. How do I set this up in Shorewall?</title> different ISPs. How do I set this up in Shorewall?</title>
<para><emphasis role="bold">Answer:</emphasis> See <ulink <para><emphasis role="bold">Answer:</emphasis> See <ulink
url="MultiISP.html">this article on Shorewall and Multiple url="MultiISP.html">this article about Shorewall and Multiple
ISPs</ulink>.</para> ISPs</ulink>.</para>
</section> </section>
@ -1699,38 +1685,6 @@ ERROR: Command "ip -4 rule add from all table 254 pref 999" Failed</programlisti
<command>shorewall[-lite] clear</command> </quote> command.</para> <command>shorewall[-lite] clear</command> </quote> command.</para>
</section> </section>
<section id="faq8">
<title>(FAQ 8) When I try to start Shorewall on RedHat, I get messages
about insmod failing -- what's wrong?</title>
<para><emphasis role="bold">Answer:</emphasis> The output you will see
looks something like this:</para>
<programlisting>/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.</programlisting>
<para>This problem is usually corrected through the following sequence
of commands</para>
<programlisting><command>service ipchains stop
chkconfig --delete ipchains
rmmod ipchains</command></programlisting>
<section id="faq8a">
<title>(FAQ 8a) When I try to start Shorewall on RedHat I get a
message referring me to FAQ #8</title>
<para><emphasis role="bold">Answer:</emphasis> This is usually cured
by the sequence of commands shown above in <xref
linkend="faq8" />.</para>
</section>
</section>
<section id="faq9"> <section id="faq9">
<title>(FAQ 9) Why can't Shorewall detect my interfaces properly at <title>(FAQ 9) Why can't Shorewall detect my interfaces properly at
startup?</title> startup?</title>
@ -1873,16 +1827,6 @@ iptables: Invalid argument
</note> </note>
</section> </section>
<section id="faq62">
<title>(FAQ 62) I have unexplained 30-second pauses during "shorewall
[re]start". What causes that?</title>
<para><emphasis role="bold">Answer:</emphasis> This usually happens when
the firewall uses LDAP Authentication. The solution is to list your LDAP
server(s) as <emphasis role="bold">critical</emphasis> in <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>.</para>
</section>
<section id="faq68"> <section id="faq68">
<title>(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of <title>(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of
the following message:</title> the following message:</title>
@ -1892,7 +1836,7 @@ iptables: Invalid argument
<para><emphasis role="bold">Answer:</emphasis> At a root shell prompt, <para><emphasis role="bold">Answer:</emphasis> At a root shell prompt,
type the iptables command shown in the error message. If the command type the iptables command shown in the error message. If the command
fails, you OpenVZ Netfilter/iptables configuration is incorrect. Until fails, your OpenVZ Netfilter/iptables configuration is incorrect. Until
that command can run without error, no stateful iptables firewall will that command can run without error, no stateful iptables firewall will
be able to run in your VM.</para> be able to run in your VM.</para>
</section> </section>
@ -1962,7 +1906,7 @@ iptables: Invalid argument
traffic is blocked for hosts behind the firewall trying to connect out traffic is blocked for hosts behind the firewall trying to connect out
onto the net or through the vpn (although i can reach the internal onto the net or through the vpn (although i can reach the internal
firewall interface and obtain dumps etc). Once I issue 'shorewall clear' firewall interface and obtain dumps etc). Once I issue 'shorewall clear'
followed by 'shorewall restart' it then works, despite the config not followed by 'shorewall start' it then works, despite the config not
changing</title> changing</title>
<para><emphasis role="bold">Answer:</emphasis> Set IP_FORWARDING=On in <para><emphasis role="bold">Answer:</emphasis> Set IP_FORWARDING=On in
@ -2040,6 +1984,8 @@ We have an error talking to the kernel
you may be able to resolve the problem by loading the <emphasis you may be able to resolve the problem by loading the <emphasis
role="bold">act_police</emphasis> kernel module. Other kernel modules role="bold">act_police</emphasis> kernel module. Other kernel modules
that you will need include:<simplelist> that you will need include:<simplelist>
<member>cls_fw</member>
<member>cls_u32</member> <member>cls_u32</member>
<member>sch_htb</member> <member>sch_htb</member>
@ -2138,11 +2084,9 @@ We have an error talking to the kernel
broadcast address as the source address?</term> broadcast address as the source address?</term>
<listitem> <listitem>
<para><emphasis role="bold">Answer:</emphasis> Shorewall can be <para><emphasis role="bold">Answer:</emphasis> Shorwall filters
configured to do that using the <ulink these packets under the <firstterm>nosmurfs</firstterm> interface
url="blacklisting_support.htm">blacklisting</ulink> facility. option in <ulink
Shorewall versions 2.0.0 and later filter these packets under the
<firstterm>nosmurfs</firstterm> interface option in <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para> url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2162,11 +2106,7 @@ We have an error talking to the kernel
<term>DOS: - SYN Dos - ICMP Dos - Per-host Dos protection</term> <term>DOS: - SYN Dos - ICMP Dos - Per-host Dos protection</term>
<listitem> <listitem>
<para><emphasis role="bold">Answer:</emphasis> Shorewall has <para><emphasis role="bold">Answer:</emphasis> Yes.</para>
facilities for limiting SYN and ICMP packets. Netfilter as
included in standard Linux kernels doesn't support per-remote-host
limiting except by explicit rule that specifies the host IP
address; that form of limiting is supported by Shorewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>