<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>Shorewall Error Messages</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2004</year> <year>2005</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <section> <title>Introduction</title> <para>Shorewall can produce a wide variety of error messages when a problem is detected with your configuration. This article attempts to explain the cause of and cures for some of these messages.</para> </section> <section> <title>Messages Produced by /sbin/shorewall</title> <para>Some error messages are produced by the /sbin/shorewall utility. These messages are detailed in this section.</para> <variablelist> <varlistentry> <term>ERROR: <label> must specify a simple file name: <name></term> <listitem> <para>This means that you have specified a restore file name with a "/". Restore files must be simple file names with no slashes.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Shorewall is not properly installed</term> <listitem> <para>The files <filename>/usr/share/shorewall/firewall</filename> and/or <filename>/usr/share/shorewall/version</filename> do not exist.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: <file name> exists and is not a saved Shorewall configuration</term> <listitem> <para>The named file in <filename>/var/lib/shorewall</filename> exists but is not executable.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Reserved file name: <file name></term> <listitem> <para>You have specified either <filename>save</filename> or <filename>restore-base</filename> as the name of a restore file -- those names are reserved for use by Shorewall.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Currently-running Configuration Not Saved</term> <listitem> <para>During processing of a <command>shorewall save</command> command, the <command>iptables-save</command> command failed.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: /var/lib/shorewall/restore-base does not exist</term> <listitem> <para>The <command>shorewall start</command> and <command>shorewall restart</command> commands create a file called <filename>/var/lib/shorewall/restore-base</filename> which forms the basis for creating a restore file using <command>shorewall save</command>. This error message is issued when <command>shorewall save</command> is not able to find that file.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The program specified in IPTABLES does not exist or is not executable</term> <listitem> <para>The IPTABLES option in <filename>/etc/shorewall/shorewall.conf</filename> specifies a file that is not executable.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Can't find iptables executable</term> <listitem> <para>There is no executable file named "iptables" in any directory in $PATH.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable</term> <listitem> <para>The SHOREWALL_SHELL option in <filename>/etc/shorewall/shorewall.conf</filename> names does not name an executable file.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: /var/lib/shorewall/<file> exists and is not a saved Shorewall configuration</term> <listitem> <para>The restore file (<file>) specified or implied in a <command>shorewall save</command> command already exists but is not executable (and hence cannot be a value restore file). Either remove/rename the file or specify a different file name.</para> </listitem> </varlistentry> </variablelist> </section> <section> <title>Messages Produced by /usr/share/shorewall/firewall</title> <para>The program <filename>/usr/share/shorewall/firewall</filename> is responsible for parsing the Shorewall configuration files and for creating and changing the Netfilter configuration. Some of the error messages generated by this program are listed below.</para> <variablelist> <varlistentry> <term>ERROR: Invalid nested zone syntax: :<parent-zone></term> <listitem> <para>The zone name in the ZONE column of <filename>/etc/shorewall/zones</filename> may not start with a colon (":").</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Sub-zones of the firewall zone are not allowed</term> <listitem> <para>The firewall zone may not be defined to have zones nested within it.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Parent zone not defined: <parent-zone></term> <listitem> <para>When defining nested zones in <filename>/etc/shorewall/zones</filename>, the parent zone must be defined before any zones nested inside of it.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Zone name longer than 5 characters: <zone></term> <listitem> <para>Zone names are restricted to 5 characters or less in length.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Illegal zone name "<zone>" in zones file</term> <listitem> <para>The zone name quoted in the error message begins with a digit -- zone names must begin with an alphabetic character.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Reserved zone name "<zone>" in zones file</term> <listitem> <para>The names "none" and "all" are reserved and may not be used as zone names in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Zone <zone> is defined more than once</term> <listitem> <para>There are two records in <filename>/etc/shorewall/zones</filename> that define the named zone.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Your kernel and/or iptables does not support policy match</term> <listitem> <para>You have defined a zone of type <emphasis role="bold">ipsec</emphasis> in <filename>/etc/shorewall/zones</filename> or have specified the ipsec option in an <filename>/etc/shorewall/hosts</filename> record but your kernel and/or iptables don't include policy match support -- see <ulink url="IPSEC-2.6.html">this article</ulink> for details.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The firewall zone may not be nested</term> <listitem> <para>You have defined a zone of type <emphasis role="bold">firewall</emphasis> to be nested inside another zone. Shorewall does not support such nesting.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: OPTIONS not allowed on the firewall zone</term> <listitem> <para>The zone of type <emphasis role="bold">firewall</emphasis> may not have any options specified in the OPTIONS, IN OPTIONS or OUT OPTIONS columns of <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Only one firewall zone may be defined</term> <listitem> <para>You may have only one record in <filename>/etc/shorewall/zones</filename> that has type <emphasis role="bold">firewall</emphasis>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: No ipv4 or ipsec Zones Defined</term> <listitem> <para>You must define at least one ipv4 or ipsec zone in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: No Firewall Zone Defined</term> <listitem> <para>You must define one (and only one) zone if type <emphasis role="bold">firewall</emphasis> in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid Mark or Mask value: <number></term> <listitem> <para>Shorewall-assigned packet and connection marks are limited to the range 1-255.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid zone definition for zone <zone></term> <listitem> <para>The zone named in the message is defined to be associated with an interface in <filename>/etc/shorewall/interfaces</filename> yet it also has an entry for that same interface in <filename>/etc/shorewall/hosts</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid zone (<zone>) in record "<record>"</term> <listitem> <para>The zone named in the ZONE column of the listed record from <filename>/etc/shorewall/interfaces</filename> or <filename>/etc/shorewall/hosts</filename> is not defined in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The routeback option may not be specified on a multi-zone interface</term> <listitem> <para>The ZONE column of a record in <filename>/etc/shorewall/interfaces</filename> was empty ("-"). Such interfaces may not specify the <emphasis role="bold">routeback</emphasis> option.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The "detectnets" option may not be used with a wild-card interface</term> <listitem> <para>The interface name in the INTERFACE column is a wild-card (ends with "+"). Such interfaces may not specify the <emphasis role="bold">detectnets</emphasis> option.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Duplicate Interface <interface></term> <listitem> <para>The named interface has two entries in <filename>/etc/shorewall/interfaces</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid Interface Name: <interface></term> <listitem> <para>The interface name contains a colon (":") or is "+". If the name includes a ":", you probably need to read <ulink url="Shorewall_and_Aliased_Interfaces.xml">this article</ulink>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface: <interface></term> <listitem> <para>The <interface> named in the message is configured with an IP address that is reserved by RFC 1918 -- that address is incompatible with the <emphasis role="bold">norfc1918</emphasis> interface option.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Unknown interface (<interface>) in record "<record>"</term> <listitem> <para>The <emphasis><interface></emphasis> name listed in the <emphasis><record></emphasis> from <filename>/etc/shorewall/hosts</filename> was not defined in <filename>/etc/shorewall/interfaces</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid HOST(S) column contents: <hosts></term> <listitem> <para>The contests of the HOST(S) column in a record from <filename>/etc/shorewall/hosts</filename> does not follow the proper syntax for that column in that it doesn't contain at least one colon (":"). See the <ulink url="Documentation.htm#Hosts">/etc/shorewall/hosts documentation</ulink>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Bridged interfaces may not be defined in /etc/shorewall/interfaces: <interface>[:<address>]</term> <listitem> <para>The named interface appears in /etc/shorewall/hosts and appears as a bridge port (after a colon) but is also defined in <filename>/etc/shorewall/interfaces</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Undefined zone <zone></term> <listitem> <para>The named zone appears in the /etc/shorewall/policy file but not in the /etc/shorewall/zones file.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: <policy record>: NONE policy not allowed to/from the <firewall-zone-name> zone</term> <listitem> <para>Shorewall does not support a policy of NONE when the source or destination zone is the firewall itself.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: <policy record>: NONE policy not allowed with "all"</term> <listitem> <para>Shorewall does not support a policy of NONE when the source or destination zone is "all".</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Duplicate policy: <source zone> <destination zone> <policy> </term> <listitem> <para>There is an earlier record in the file with the same <source zone> and <destination zone></para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Can't determine the IP address of <interface></term> <listitem> <para>You have specified DETECT_DNAT_ADDRS=Yes in /etc/shorewall/shorewall.conf and Shorewall is unablee to determine the IP address of the named <emphasis><interface></emphasis>. Be sure that the interface is started before starting Shorewall or set DETECT_DNAT_ADDRS=No.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid gateway zone (<zone>) -- Tunnel "<record></term> <listitem> <para>The listed <emphasis><zone></emphasis> name appears in the GATEWAY ZONE column of the listed <emphasis><record></emphasis> from <filename>/etc/shorewall/tunnels</filename> but is not defined in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: No hosts on <interface> have the maclist option specified</term> <listitem> <para>The named <emphasis><interface></emphasis> appears in a record in <filename>/etc/shorewall/maclist</filename> yet that interface's record in <filename>/etc/shorewall/interfaces</filename> does not specify the <emphasis role="bold">maclist</emphasis> option and no record in <filename>/etc/shorewall/hosts</filename> that names that interface includes the <emphasis role="bold">maclist</emphasis> option.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Interface <interface> must be up before Shorewall can start</term> <listitem> <para>You have specified the <emphasis role="bold">maclist</emphasis> option for this interface but the command <command>ip list show <interface></command> fails.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Unknown interface <interface></term> <listitem> <para>The interface appears in a configuration file but is not defined in <filename>/etc/shorewall/interfaces</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: BRIDGING=Yes requires Physdev Match support in your Kernel and iptables</term> <listitem> <para>You have set BRIDGING=Yes in <filename>/etc/shorewall/shorewall.conf</filename> but it appears that your kernel and/or iptables do not have physdev match support.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid Action Name: <action></term> <listitem> <para>The <action> contains one of the following characters: ".", "-", or "%". Those characters are not allowed in an action name.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid Macro Parameter in rule "<rule>"</term> <listitem> <para>The value being passed to a parameterized macro is not ACCEPT, DROP, REJECT, LOG, QUEUE or CONTINUE.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Missing Action File: action.<action name></term> <listitem> <para>The specified <action name> has an entry in <filename>/usr/share/shorewall/actions.std</filename> or in <filename>/etc/shorewall/actions</filename> but the corresponding action file does not exist on the CONFIG_PATH.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Unknown interface <interface> in rule: "<rule>"</term> <listitem> <para>You have BRIDGING=No in <filename>/etc/shorewall/shorewall.conf</filename> and the <emphasis><interface></emphasis> given in a rule does not match an entry in <filename>/etc/shorewall/interfaces</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead</term> <listitem> <para>In earlier Shorewall versions, the ORIGINAL DEST column allowed following the original destination IP address with ":" and an address to use as the source of the forwarded connection request. Now that /etc/shorewall/masq supports qualification of SNAT rules by protocol and port, this feature is no longer required and has been deimplemented.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: "Invalid Source in rule "<rule>"</term> <listitem> <para>The SOURCE column has the firewall zone name immediately followed by "!". This syntax is use to exclude a subzone and Shorewall currently doesn't support subzones of the firewall zone.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Rule "<rule>" - Destination may not be specified by MAC Address</term> <listitem> <para>Netfilter (and hence Shorewall) does not allow qualification of a rule by destination source IP address.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Destination interface not allowed with <action></term> <listitem> <para>The named <emphasis><action></emphasis> will be ACCEPT+ or NONAT. These actions are inforced in part in the PREROUTING nat chain where the destination interface is not yet known (because the packet has not yet been routed). As a result, the DESTINATION column may not contain an interface name.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Only DNAT and REDIRECT rules may specify destination mapping; rule "<rule>"</term> <listitem> <para>The <emphasis><rule></emphasis> specifies a server address that is different from the ORIGINAL DEST address and/or it specifies a server port that is different from the destination port but the ACTION is neither DNAT[-] nor REJECT[-].</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Empty source zone or qualifier: rule "<rule>"</term> <listitem> <para>The SOURCE column is of one of the forms <emphasis><zone></emphasis>:, :<emphasis><qualifier></emphasis> or :.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Exclude list only allowed with DNAT or REDIRECT</term> <listitem> <para>In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the form <emphasis><zone></emphasis>:<emphasis><net1></emphasis>!<emphasis><net2></emphasis>. This means <emphasis><net1></emphasis> in the <emphasis><zone></emphasis> zone <emphasis role="bold">except for</emphasis> <emphasis><net2></emphasis>. This syntax is not available with other ACTIONs.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid use of a user-qualification: rule "<rule>"</term> <listitem> <para>The USER/GROUP column may only have and entry if the SOURCE is the firewall zone.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Empty destination zone or qualifier: rule "<rule>"</term> <listitem> <para>The DEST column is of one of the forms <emphasis><zone></emphasis>:, :<emphasis><qualifier></emphasis> or :.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Undefined Client Zone in rule "<rule>"</term> <listitem> <para>The zone given in the SOURCE column was not defined in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Undefined Server Zone in rule "<rule>"</term> <listitem> <para>The zone given in the DEST column was not defined in <filename>/etc/shorewall/zones</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Rules may not override a NONE policy: rule "<rule>"</term> <listitem> <para>If the policy from zone z1 to zone z2 is NONE that means that Shorewall sets up no infrastructure to handle traffic from z1 to z2. Consequently, you cannot have any rules that control traffic from z1 to z2.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Invalid Action in rule "<rule>"</term> <listitem> <para>The ACTION column contains an action that is not one of the built-in actions and it is not defined in <filename>/etc/shorewall/actions</filename> or in <filename>/usr/share/shorewall/actions.std</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: Unable to determine the routes through interface <interface></term> <listitem> <para>You have specified <emphasis><interface></emphasis> in the SUBNET column of <filename>/etc/shorewall/masq</filename> which means that Shorewall is supposed to determine the network(s) routed through that interface. To do that, Shorewall issues the command <command>ip addr ls dev <interface></command> and that command failed. This usually means that you are trying to start Shorewall before the <emphasis><interface></emphasis> is brought up.</para> </listitem> </varlistentry> <varlistentry> <term>ERROR: No appropriate chain for zone <z1> to zone <z2></term> <listitem> <para>There is no policy defined in <filename>/etc/shorewall/policy</filename> for connections from zone <emphasis><z1></emphasis> to zone <emphasis><z2></emphasis>.</para> </listitem> </varlistentry> </variablelist> </section> <section> <title>Warnings</title> <para>This sections describes some of the more common warnings generated by Shorewall.</para> <variablelist> <varlistentry> <term>Warning: default route ignored on interface <interface></term> <listitem> <para>This means that the interface named in the SUBNET column of <filename>/etc/shorewall/masq</filename> has the default route. This almost always means that you have the contents of the INTERFACE and SUBNET columns reversed.</para> </listitem> </varlistentry> <varlistentry> <term>Warning: Zone <zone> is empty</term> <listitem> <para>This warning alerts you to the fact tha <zone> is defined in <filename>/etc/shorewall/zones</filename> but has no corresponding entries in <filename>/etc/shorewall/interfaces</filename> or in <filename>/etc/shorewall/hosts</filename>.</para> </listitem> </varlistentry> <varlistentry> <term>WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf</term> <listitem> <para>If you need help understanding that warning message then you probably need to take up another hobby or line of work.</para> </listitem> </varlistentry> </variablelist> </section> <section> <title>Iptables Error Messages</title> <para>By far the most asked about iptables error messages are:</para> <glosslist> <glossentry> <glossterm>iptables: No chain/target/match by that name</glossterm> <glossdef> <para>This almost always means that you are trying to use a Shorewall feature that your iptables and/or kernel do not support. Beginning with version 2.2.0, Shorewall follows this message with a copy of the iptables command that is failing. Most commonly, the problem is that one of the match types (keyword following "-m" in the command) isn't supported by your iptables/kernel. The output of "shorewall show capabilities" shows you what your iptables/kernel support:</para> <programlisting>gateway:~# shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: <emphasis role="bold"> NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available ROUTE Target: Not available Extended MARK Target: Available CONNMARK Target: Available Connmark Match: Available</emphasis> <emphasis role="bold">Raw Table: Available</emphasis> gateway:~#</programlisting> </glossdef> </glossentry> <glossentry> <glossterm>iptables: invalid argument</glossterm> <glossdef> <para>Answer: 99.999% of the time, this error is caused by a mismatch between your iptables and kernel.</para> <orderedlist> <listitem> <para>Your iptables must be compiled against a kernel source tree that is Netfilter-compatible with the kernel that you are running.</para> </listitem> <listitem> <para>If you rebuild iptables using the defaults and install it, it will be installed in /usr/local/sbin/iptables. As shown above, you have the IPTABLES variable in shorewall.conf set to "/sbin/iptables".</para> </listitem> </orderedlist> </glossdef> </glossentry> </glosslist> </section> </article>