<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>Shorewall Error Messages</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2004</year>

      <year>2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>Introduction</title>

    <para>Shorewall can produce a wide variety of error messages when a
    problem is detected with your configuration. This article attempts to
    explain the cause of and cures for some of these messages.</para>
  </section>

  <section>
    <title>Messages Produced by /sbin/shorewall</title>

    <para>Some error messages are produced by the /sbin/shorewall utility.
    These messages are detailed in this section.</para>

    <variablelist>
      <varlistentry>
        <term>ERROR: &lt;label&gt; must specify a simple file name:
        &lt;name&gt;</term>

        <listitem>
          <para>This means that you have specified a restore file name with a
          "/". Restore files must be simple file names with no slashes.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Shorewall is not properly installed</term>

        <listitem>
          <para>The files <filename>/usr/share/shorewall/firewall</filename>
          and/or <filename>/usr/share/shorewall/version</filename> do not
          exist.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: &lt;file name&gt; exists and is not a saved Shorewall
        configuration</term>

        <listitem>
          <para>The named file in <filename>/var/lib/shorewall</filename>
          exists but is not executable.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Reserved file name: &lt;file name&gt;</term>

        <listitem>
          <para>You have specified either <filename>save</filename> or
          <filename>restore-base</filename> as the name of a restore file --
          those names are reserved for use by Shorewall.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Currently-running Configuration Not Saved</term>

        <listitem>
          <para>During processing of a <command>shorewall save</command>
          command, the <command>iptables-save</command> command failed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: /var/lib/shorewall/restore-base does not exist</term>

        <listitem>
          <para>The <command>shorewall start</command> and <command>shorewall
          restart</command> commands create a file called
          <filename>/var/lib/shorewall/restore-base</filename> which forms the
          basis for creating a restore file using <command>shorewall
          save</command>. This error message is issued when <command>shorewall
          save</command> is not able to find that file.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The program specified in IPTABLES does not exist or is
        not executable</term>

        <listitem>
          <para>The IPTABLES option in
          <filename>/etc/shorewall/shorewall.conf</filename> specifies a file
          that is not executable.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Can't find iptables executable</term>

        <listitem>
          <para>There is no executable file named "iptables" in any directory
          in $PATH.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The program specified in SHOREWALL_SHELL does not exist
        or is not executable</term>

        <listitem>
          <para>The SHOREWALL_SHELL option in
          <filename>/etc/shorewall/shorewall.conf</filename> names does not
          name an executable file.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: /var/lib/shorewall/&lt;file&gt; exists and is not a saved
        Shorewall configuration</term>

        <listitem>
          <para>The restore file (&lt;file&gt;) specified or implied in a
          <command>shorewall save</command> command already exists but is not
          executable (and hence cannot be a value restore file). Either
          remove/rename the file or specify a different file name.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

  <section>
    <title>Messages Produced by /usr/share/shorewall/firewall</title>

    <para>The program <filename>/usr/share/shorewall/firewall</filename> is
    responsible for parsing the Shorewall configuration files and for creating
    and changing the Netfilter configuration. Some of the error messages
    generated by this program are listed below.</para>

    <variablelist>
      <varlistentry>
        <term>ERROR: Invalid nested zone syntax: :&lt;parent-zone&gt;</term>

        <listitem>
          <para>The zone name in the ZONE column of
          <filename>/etc/shorewall/zones</filename> may not start with a colon
          (":").</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Sub-zones of the firewall zone are not allowed</term>

        <listitem>
          <para>The firewall zone may not be defined to have zones nested
          within it.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Parent zone not defined: &lt;parent-zone&gt;</term>

        <listitem>
          <para>When defining nested zones in
          <filename>/etc/shorewall/zones</filename>, the parent zone must be
          defined before any zones nested inside of it.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Zone name longer than 5 characters: &lt;zone&gt;</term>

        <listitem>
          <para>Zone names are restricted to 5 characters or less in
          length.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Illegal zone name "&lt;zone&gt;" in zones file</term>

        <listitem>
          <para>The zone name quoted in the error message begins with a digit
          -- zone names must begin with an alphabetic character.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Reserved zone name "&lt;zone&gt;" in zones file</term>

        <listitem>
          <para>The names "none" and "all" are reserved and may not be used as
          zone names in <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Zone &lt;zone&gt; is defined more than once</term>

        <listitem>
          <para>There are two records in
          <filename>/etc/shorewall/zones</filename> that define the named
          zone.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Your kernel and/or iptables does not support policy
        match</term>

        <listitem>
          <para>You have defined a zone of type <emphasis
          role="bold">ipsec</emphasis> in
          <filename>/etc/shorewall/zones</filename> or have specified the
          ipsec option in an <filename>/etc/shorewall/hosts</filename> record
          but your kernel and/or iptables don't include policy match support
          -- see <ulink url="IPSEC-2.6.html">this article</ulink> for
          details.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The firewall zone may not be nested</term>

        <listitem>
          <para>You have defined a zone of type <emphasis
          role="bold">firewall</emphasis> to be nested inside another zone.
          Shorewall does not support such nesting.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: OPTIONS not allowed on the firewall zone</term>

        <listitem>
          <para>The zone of type <emphasis role="bold">firewall</emphasis> may
          not have any options specified in the OPTIONS, IN OPTIONS or OUT
          OPTIONS columns of <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Only one firewall zone may be defined</term>

        <listitem>
          <para>You may have only one record in
          <filename>/etc/shorewall/zones</filename> that has type <emphasis
          role="bold">firewall</emphasis>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: No ipv4 or ipsec Zones Defined</term>

        <listitem>
          <para>You must define at least one ipv4 or ipsec zone in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: No Firewall Zone Defined</term>

        <listitem>
          <para>You must define one (and only one) zone if type <emphasis
          role="bold">firewall</emphasis> in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid Mark or Mask value: &lt;number&gt;</term>

        <listitem>
          <para>Shorewall-assigned packet and connection marks are limited to
          the range 1-255.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid zone definition for zone &lt;zone&gt;</term>

        <listitem>
          <para>The zone named in the message is defined to be associated with
          an interface in <filename>/etc/shorewall/interfaces</filename> yet
          it also has an entry for that same interface in
          <filename>/etc/shorewall/hosts</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid zone (&lt;zone&gt;) in record
        "&lt;record&gt;"</term>

        <listitem>
          <para>The zone named in the ZONE column of the listed record from
          <filename>/etc/shorewall/interfaces</filename> or
          <filename>/etc/shorewall/hosts</filename> is not defined in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The routeback option may not be specified on a multi-zone
        interface</term>

        <listitem>
          <para>The ZONE column of a record in
          <filename>/etc/shorewall/interfaces</filename> was empty ("-"). Such
          interfaces may not specify the <emphasis
          role="bold">routeback</emphasis> option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The "detectnets" option may not be used with a wild-card
        interface</term>

        <listitem>
          <para>The interface name in the INTERFACE column is a wild-card
          (ends with "+"). Such interfaces may not specify the <emphasis
          role="bold">detectnets</emphasis> option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Duplicate Interface &lt;interface&gt;</term>

        <listitem>
          <para>The named interface has two entries in
          <filename>/etc/shorewall/interfaces</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid Interface Name: &lt;interface&gt;</term>

        <listitem>
          <para>The interface name contains a colon (":") or is "+". If the
          name includes a ":", you probably need to read <ulink
          url="Shorewall_and_Aliased_Interfaces.xml">this
          article</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: The 'norfc1918' option may not be specified on an
        interface with an RFC 1918 address. Interface:
        &lt;interface&gt;</term>

        <listitem>
          <para>The &lt;interface&gt; named in the message is configured with
          an IP address that is reserved by RFC 1918 -- that address is
          incompatible with the <emphasis role="bold">norfc1918</emphasis>
          interface option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Unknown interface (&lt;interface&gt;) in record
        "&lt;record&gt;"</term>

        <listitem>
          <para>The <emphasis>&lt;interface&gt;</emphasis> name listed in the
          <emphasis>&lt;record&gt;</emphasis> from
          <filename>/etc/shorewall/hosts</filename> was not defined in
          <filename>/etc/shorewall/interfaces</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid HOST(S) column contents: &lt;hosts&gt;</term>

        <listitem>
          <para>The contests of the HOST(S) column in a record from
          <filename>/etc/shorewall/hosts</filename> does not follow the proper
          syntax for that column in that it doesn't contain at least one colon
          (":"). See the <ulink
          url="Documentation.htm#Hosts">/etc/shorewall/hosts
          documentation</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Bridged interfaces may not be defined in
        /etc/shorewall/interfaces: &lt;interface&gt;[:&lt;address&gt;]</term>

        <listitem>
          <para>The named interface appears in /etc/shorewall/hosts and
          appears as a bridge port (after a colon) but is also defined in
          <filename>/etc/shorewall/interfaces</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Undefined zone &lt;zone&gt;</term>

        <listitem>
          <para>The named zone appears in the /etc/shorewall/policy file but
          not in the /etc/shorewall/zones file.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: &lt;policy record&gt;: NONE policy not allowed to/from
        the &lt;firewall-zone-name&gt; zone</term>

        <listitem>
          <para>Shorewall does not support a policy of NONE when the source or
          destination zone is the firewall itself.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: &lt;policy record&gt;: NONE policy not allowed with
        "all"</term>

        <listitem>
          <para>Shorewall does not support a policy of NONE when the source or
          destination zone is "all".</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Duplicate policy: &lt;source zone&gt; &lt;destination
        zone&gt; &lt;policy&gt; </term>

        <listitem>
          <para>There is an earlier record in the file with the same
          &lt;source zone&gt; and &lt;destination zone&gt;</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Can't determine the IP address of
        &lt;interface&gt;</term>

        <listitem>
          <para>You have specified DETECT_DNAT_ADDRS=Yes in
          /etc/shorewall/shorewall.conf and Shorewall is unablee to determine
          the IP address of the named <emphasis>&lt;interface&gt;</emphasis>.
          Be sure that the interface is started before starting Shorewall or
          set DETECT_DNAT_ADDRS=No.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid gateway zone (&lt;zone&gt;) -- Tunnel
        "&lt;record&gt;</term>

        <listitem>
          <para>The listed <emphasis>&lt;zone&gt;</emphasis> name appears in
          the GATEWAY ZONE column of the listed
          <emphasis>&lt;record&gt;</emphasis> from
          <filename>/etc/shorewall/tunnels</filename> but is not defined in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: No hosts on &lt;interface&gt; have the maclist option
        specified</term>

        <listitem>
          <para>The named <emphasis>&lt;interface&gt;</emphasis> appears in a
          record in <filename>/etc/shorewall/maclist</filename> yet that
          interface's record in <filename>/etc/shorewall/interfaces</filename>
          does not specify the <emphasis role="bold">maclist</emphasis> option
          and no record in <filename>/etc/shorewall/hosts</filename> that
          names that interface includes the <emphasis
          role="bold">maclist</emphasis> option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Interface &lt;interface&gt; must be up before Shorewall
        can start</term>

        <listitem>
          <para>You have specified the <emphasis
          role="bold">maclist</emphasis> option for this interface but the
          command <command>ip list show &lt;interface&gt;</command>
          fails.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Unknown interface &lt;interface&gt;</term>

        <listitem>
          <para>The interface appears in a configuration file but is not
          defined in <filename>/etc/shorewall/interfaces</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: BRIDGING=Yes requires Physdev Match support in your
        Kernel and iptables</term>

        <listitem>
          <para>You have set BRIDGING=Yes in
          <filename>/etc/shorewall/shorewall.conf</filename> but it appears
          that your kernel and/or iptables do not have physdev match
          support.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid Action Name: &lt;action&gt;</term>

        <listitem>
          <para>The &lt;action&gt; contains one of the following characters:
          ".", "-", or "%". Those characters are not allowed in an action
          name.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid Macro Parameter in rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The value being passed to a parameterized macro is not ACCEPT,
          DROP, REJECT, LOG, QUEUE or CONTINUE.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Missing Action File: action.&lt;action name&gt;</term>

        <listitem>
          <para>The specified &lt;action name&gt; has an entry in
          <filename>/usr/share/shorewall/actions.std</filename> or in
          <filename>/etc/shorewall/actions</filename> but the corresponding
          action file does not exist on the CONFIG_PATH.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Unknown interface &lt;interface&gt; in rule:
        "&lt;rule&gt;"</term>

        <listitem>
          <para>You have BRIDGING=No in
          <filename>/etc/shorewall/shorewall.conf</filename> and the
          <emphasis>&lt;interface&gt;</emphasis> given in a rule does not
          match an entry in
          <filename>/etc/shorewall/interfaces</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: SNAT may no longer be specified in a DNAT rule; use
        /etc/shorewall/masq instead</term>

        <listitem>
          <para>In earlier Shorewall versions, the ORIGINAL DEST column
          allowed following the original destination IP address with ":" and
          an address to use as the source of the forwarded connection request.
          Now that /etc/shorewall/masq supports qualification of SNAT rules by
          protocol and port, this feature is no longer required and has been
          deimplemented.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: "Invalid Source in rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The SOURCE column has the firewall zone name immediately
          followed by "!". This syntax is use to exclude a subzone and
          Shorewall currently doesn't support subzones of the firewall
          zone.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Rule "&lt;rule&gt;" - Destination may not be specified by
        MAC Address</term>

        <listitem>
          <para>Netfilter (and hence Shorewall) does not allow qualification
          of a rule by destination source IP address.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Destination interface not allowed with
        &lt;action&gt;</term>

        <listitem>
          <para>The named <emphasis>&lt;action&gt;</emphasis> will be ACCEPT+
          or NONAT. These actions are inforced in part in the PREROUTING nat
          chain where the destination interface is not yet known (because the
          packet has not yet been routed). As a result, the DESTINATION column
          may not contain an interface name.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Only DNAT and REDIRECT rules may specify destination
        mapping; rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The <emphasis>&lt;rule&gt;</emphasis> specifies a server
          address that is different from the ORIGINAL DEST address and/or it
          specifies a server port that is different from the destination port
          but the ACTION is neither DNAT[-] nor REJECT[-].</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Empty source zone or qualifier: rule
        "&lt;rule&gt;"</term>

        <listitem>
          <para>The SOURCE column is of one of the forms
          <emphasis>&lt;zone&gt;</emphasis>:,
          :<emphasis>&lt;qualifier&gt;</emphasis> or :.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Exclude list only allowed with DNAT or REDIRECT</term>

        <listitem>
          <para>In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the
          form
          <emphasis>&lt;zone&gt;</emphasis>:<emphasis>&lt;net1&gt;</emphasis>!<emphasis>&lt;net2&gt;</emphasis>.
          This means <emphasis>&lt;net1&gt;</emphasis> in the
          <emphasis>&lt;zone&gt;</emphasis> zone <emphasis role="bold">except
          for</emphasis> <emphasis>&lt;net2&gt;</emphasis>. This syntax is not
          available with other ACTIONs.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid use of a user-qualification: rule
        "&lt;rule&gt;"</term>

        <listitem>
          <para>The USER/GROUP column may only have and entry if the SOURCE is
          the firewall zone.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Empty destination zone or qualifier: rule
        "&lt;rule&gt;"</term>

        <listitem>
          <para>The DEST column is of one of the forms
          <emphasis>&lt;zone&gt;</emphasis>:,
          :<emphasis>&lt;qualifier&gt;</emphasis> or :.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Undefined Client Zone in rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The zone given in the SOURCE column was not defined in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Undefined Server Zone in rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The zone given in the DEST column was not defined in
          <filename>/etc/shorewall/zones</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Rules may not override a NONE policy: rule
        "&lt;rule&gt;"</term>

        <listitem>
          <para>If the policy from zone z1 to zone z2 is NONE that means that
          Shorewall sets up no infrastructure to handle traffic from z1 to z2.
          Consequently, you cannot have any rules that control traffic from z1
          to z2.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Invalid Action in rule "&lt;rule&gt;"</term>

        <listitem>
          <para>The ACTION column contains an action that is not one of the
          built-in actions and it is not defined in
          <filename>/etc/shorewall/actions</filename> or in
          <filename>/usr/share/shorewall/actions.std</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: Unable to determine the routes through interface
        &lt;interface&gt;</term>

        <listitem>
          <para>You have specified <emphasis>&lt;interface&gt;</emphasis> in
          the SUBNET column of <filename>/etc/shorewall/masq</filename> which
          means that Shorewall is supposed to determine the network(s) routed
          through that interface. To do that, Shorewall issues the command
          <command>ip addr ls dev &lt;interface&gt;</command> and that command
          failed. This usually means that you are trying to start Shorewall
          before the <emphasis>&lt;interface&gt;</emphasis> is brought
          up.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>ERROR: No appropriate chain for zone &lt;z1&gt; to zone
        &lt;z2&gt;</term>

        <listitem>
          <para>There is no policy defined in
          <filename>/etc/shorewall/policy</filename> for connections from zone
          <emphasis>&lt;z1&gt;</emphasis> to zone
          <emphasis>&lt;z2&gt;</emphasis>.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

  <section>
    <title>Warnings</title>

    <para>This sections describes some of the more common warnings generated
    by Shorewall.</para>

    <variablelist>
      <varlistentry>
        <term>Warning: default route ignored on interface
        &lt;interface&gt;</term>

        <listitem>
          <para>This means that the interface named in the SUBNET column of
          <filename>/etc/shorewall/masq</filename> has the default route. This
          almost always means that you have the contents of the INTERFACE and
          SUBNET columns reversed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Warning: Zone &lt;zone&gt; is empty</term>

        <listitem>
          <para>This warning alerts you to the fact tha &lt;zone&gt; is
          defined in <filename>/etc/shorewall/zones</filename> but has no
          corresponding entries in
          <filename>/etc/shorewall/interfaces</filename> or in
          <filename>/etc/shorewall/hosts</filename>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>WARNING: Shorewall startup is disabled. To enable startup, set
        STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf</term>

        <listitem>
          <para>If you need help understanding that warning message then you
          probably need to take up another hobby or line of work.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

  <section>
    <title>Iptables Error Messages</title>

    <para>By far the most asked about iptables error messages are:</para>

    <glosslist>
      <glossentry>
        <glossterm>iptables: No chain/target/match by that name</glossterm>

        <glossdef>
          <para>This almost always means that you are trying to use a
          Shorewall feature that your iptables and/or kernel do not support.
          Beginning with version 2.2.0, Shorewall follows this message with a
          copy of the iptables command that is failing. Most commonly, the
          problem is that one of the match types (keyword following "-m" in
          the command) isn't supported by your iptables/kernel. The output of
          "shorewall show capabilities" shows you what your iptables/kernel
          support:</para>

          <programlisting>gateway:~# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
 <emphasis role="bold">  NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Available
   ROUTE Target: Not available
   Extended MARK Target: Available
   CONNMARK Target: Available
   Connmark Match: Available</emphasis>
   <emphasis role="bold">Raw Table: Available</emphasis>
gateway:~#</programlisting>
        </glossdef>
      </glossentry>

      <glossentry>
        <glossterm>iptables: invalid argument</glossterm>

        <glossdef>
          <para>Answer: 99.999% of the time, this error is caused by a
          mismatch between your iptables and kernel.</para>

          <orderedlist>
            <listitem>
              <para>Your iptables must be compiled against a kernel source
              tree that is Netfilter-compatible with the kernel that you are
              running.</para>
            </listitem>

            <listitem>
              <para>If you rebuild iptables using the defaults and install it,
              it will be installed in /usr/local/sbin/iptables. As shown
              above, you have the IPTABLES variable in shorewall.conf set to
              "/sbin/iptables".</para>
            </listitem>
          </orderedlist>
        </glossdef>
      </glossentry>
    </glosslist>
  </section>
</article>