Shorewall Support Guide Tom Eastep 2005-11-03 2001-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Problem reports that do not include the information requested in the Problem Reporting Guidelines below will not be answered by the Shorewall author. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release.
Before Reporting a Problem or Asking a Question There are a number of sources of Shorewall information. Please try these before you post. The three currently-supported Shorewall major releases are 3.0, 2.4 and 2.2. Because of the short time between the releases of 2.2.0 and 2.4.0, Shorewall 2.2 will be supported until 1 December 2006 or until the release of 3.1.0, whichever comes first. Shorewall versions earlier than 2.2.0 are no longer supported; we will only answer your question if it deals with upgrading from these old releases to a current one. More than half of the questions posted on the support list have answers directly accessible from the Documentation Index The FAQ has solutions to more than 50 common problems. The Troubleshooting Information contains a number of tips to help you solve common problems. The Errata has links to download updated components. The Search facility can locate documents and posts about similar problems:
Problem Reporting Guidelines Please refer to the following flowchart to guide you through the problem reporting process. If your problem is that an error occurs when you try to shorewall start or if Shorewall is otherwise failing to start properly, then please:
/sbin/shorewall trace start 2> /tmp/trace Forward the /tmp/trace file as an attachment compressed with gzip or bzip2.
If you are unsure if Shorewall is starting successfully or not then first note that if Shorewall starts successfully, the last message it produces is "Shorewall Started":
… Activating Rules... Shorewall Started gateway:~#
If you are seeing this message then Shorewall is starting successfully. If you are still unsure if Shorewall is starting or not, enter the following command:
/sbin/shorewall status shorewall
If Shorewall has started successfully, you will see output similar to this:
Shorewall-2.5.4 Status at gateway - Tue Aug 30 14:07:29 PDT 2005 Shorewall is running State:Started (Tue Aug 30 07:18:07 PDT 2005)
If Shorewall has not started properly, you will see output similar to this:
Shorewall-2.5.4 Status at gateway - Tue Aug 30 14:08:11 PDT 2005 Shorewall is stopped State:Stopped (Tue Aug 30 14:08:11 PDT 2005)
The "State:" refers to the Shorewall State Diagram.
If Shorewall is starting successfully and your problem is that some set of connections to/from or through your firewall isn't working (examples: local systems can't access the internet, you can't send email through the firewall, you can't surf the web from the firewall, etc.) then please perform the following four steps: If Shorewall isn't started then /sbin/shorewall start. Otherwise /sbin/shorewall reset. Try making the connection that is failing. /sbin/shorewall dump > /tmp/status.txt Post the /tmp/status.txt file as an attachment compressed with gzip or bzip2. Describe where you are trying to make the connection from (IP address) and what host (IP address) you are trying to connect to. Please do not edit the diagnostic information in an attempt to conceal your IP address, netmask, nameserver addresses, domain name, etc. These aren't secrets, and concealing them often misleads us and may prevent your problem from being looked at all together. Otherwise please include the following information: the exact version of Shorewall you are running. /sbin/shorewall version the complete exact output of ip addr show the complete exact output of ip route show
Please remember we only know what is posted in your message. Do not leave out any information that appears to be correct, or was mentioned in a previous post. There have been countless posts by people who were sure that some part of their configuration was correct when it actually contained a small error. We tend to be skeptics where detail is lacking. Please keep in mind that you're asking for free technical support. Any help we offer is an act of generosity, not an obligation. Try to make it easy for us to help you. Follow good, courteous practices in writing and formatting your e-mail. Provide details that we need if you expect good answers. Exact quoting of error messages, log entries, command output, and other output is better than a paraphrase or summary. Please give details about what doesn't work. Reports that say I followed the directions and it didn't work may elicit sympathy but probably little in the way of help. Again -- if ping from A to B fails, say so (and see below for information about reporting ping problems). If Computer B doesn't show up in Network Neighborhood then say so. If access by IP address works but by DNS names it doesn't then say so. Please don't describe your environment and then ask us to send you custom configuration files. We're here to answer your questions but we can't do your job for you. Please do NOT include the output of iptables -L — the output of shorewall show or shorewall status is much more useful. As a general matter, please do not edit the diagnostic information in an attempt to conceal your IP address, netmask, nameserver addresses, domain name, etc. These aren't secrets, and concealing them often misleads us (and 80% of the time, a hacker could derive them anyway from information contained in the SMTP headers of your post). Do you see any Shorewall messages (/sbin/shorewall show log) when you exercise the function that is giving you problems? If so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces file (and /etc/shorewall/hosts file if you have entries in that file). Please include any of the Shorewall configuration files (especially the /etc/shorewall/hosts file if you have modified that file) that you think are relevant. If you include /etc/shorewall/rules, please include /etc/shorewall/policy as well (rules are meaningless unless one also knows the policies). The list server limits the size of posts to the lists, so don't post graphics of your network layout, etc. to the Mailing List -- your post will be rejected. The author gratefully acknowleges that the above list was heavily plagiarized from the excellent LEAF document by Ray Olszewski found here.
When using the mailing list, please post in plain text A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net for continuous abuse because it has been my policy to allow HTML in list posts!! I think that blocking all HTML is a Draconian way to control spam and that the ultimate losers here are not the spammers but the list subscribers whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote to me privately These e-mail admin's need to get a (expletive deleted) life instead of trying to rid the planet of HTML based e-mail. Nevertheless, to allow subscribers to receive list posts as must as possible, I have now configured the list server at shorewall.net to convert all HTML to plain text. Sometimes the conversion process fails in which case, the post sent to the list is empty. Even when conversion succeeds, the converted post is difficult to read so all of us will appreciate it if you just post in plain text to begin with.
Where to Send your Problem Report or to Ask for Help If you run the current development release and your question involves a feature that is only available in the development release (see the Shorewall Release Model page) -- please post your question or problem to the Shorewall Development Mailing List. IMPORTANT: You must subscribe to the list before you will be able to post to it (see link below). If you run Shorewall under MandrakeSoft Multi Network Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft then you can post non MNF-specific Shorewall questions to the Shorewall users mailing list. Do not expect to get free MNF support on the list. Otherwise, please post your question or problem to the Shorewall users mailing list. IMPORTANT: You must subscribe to the list before you will be able to post to it (see link below). Please read the list usage instructions (found on the information page for each list) before posting. For quick questions, there is also a #shorewall channel at irc.freenode.net.
Subscribing to the Users Mailing List To Subscribe to the users mailing list go to https://lists.sourceforge.net/mailman/listinfo/shorewall-users.
Subscribing to the Announce Mailing List To Subscribe to the announce mailing list (low-traffic,read only) go to: https://lists.sourceforge.net/lists/listinfo/shorewall-announce
Subscribing to the Development Mailing List To Subscribe to the development mailing list go to https://lists.sourceforge.net/mailman/listinfo/shorewall-devel.
Other Mailing Lists For information on other Shorewall mailing lists, go to http://sourceforge.net/mail/?group_id=22587 .