susefirewall2 problem (SuSE 10.1)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I start the computer or run SuSEfirewall2 I get some weird errors: nimrodel:~ # SuSEfirewall2 SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom SuSEfirewall2: batch committing... iptables-batch v1.3.5: host/network `##' not found Try `iptables-batch -h' or 'iptables-batch --help' for more information. SuSEfirewall2: Error: iptables-batch failed, re-running using iptables iptables v1.3.5: host/network `##' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `##' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `Type:' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `Type:' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `string' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `string' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `##' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `##' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `Default:' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.5: host/network `Default:' not found Try `iptables -h' or 'iptables --help' for more information. SuSEfirewall2: Firewall rules successfully set nimrodel:~ # rcSuSEfirewall2 status Checking the status of SuSEfirewall2 running nimrodel:~ # I worry about the "not found" errors. How do I find out what is the exact problem? A bug of mine or of SuSE? It does not report the problematic file or line. The configuration is the same I had with 9.3, and it worked with no errors, AFAIK. I'm also getting some strange errors, maybe non related: Jul 23 13:13:16 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61663 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D56B70A5E356) Jul 23 13:13:18 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61664 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D6D370A5E356) Jul 23 13:13:21 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61665 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D9A370A5E356) Jul 23 13:13:38 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61667 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002EA8370A5E356) The remote IP is ftp.gwdg.de. They occur when starting or closing YOU. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEw1rMtTMYHG2NR9URAn9aAJ9aFh4mvEVf4RQHr3kqkEAYAb7IPwCfVTJj /qdeTyTRV3vOgjmnC93TcoQ= =ENV8 -----END PGP SIGNATURE-----
Am Sonntag, 23. Juli 2006 13:17 schrieb Carlos E. R.: I've trimmed your error messages:
iptables v1.3.5: host/network `##' not found iptables v1.3.5: host/network `Type:' not found iptables v1.3.5: host/network `string' not found iptables v1.3.5: host/network `##' not found iptables v1.3.5: host/network `Default:' not found
I worry about the "not found" errors. How do I find out what is the exact problem?
Have a look at your /etc/sysconfig/SuSEfirewall2, e.g.: ## Path: Network/Firewall/SuSEfirewall2 ## Description: SuSEfirewall2 configuration ## Type: string ## Default: any Obviously, parts of a comment get passed to iptables-batch/iptables.
A bug of mine or of SuSE? It does not report the problematic file or line.
SuSEfirewall2 does not recognize that error and, thus, silently passing wrong parameters. Then, iptables-batch/iptables complains about them.
The configuration is the same I had with 9.3, and it worked with no errors, AFAIK.
You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using grep -v "#" /etc/sysconfig/SuSEfirewall2 to ensure that all options are well-formed (KEY="VALUE"). If so, try to comment out all options and re-add them one by one until the problem is triggered.
I'm also getting some strange errors, maybe non related:
Jul 23 13:13:16 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61663 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D56B70A5E356) (...).
Hmm, you already experienced such log entries some months ago. :) http://lists.suse.com/archive/suse-security/2006-Apr/0056.html Gruß Jan -- Ambition is a poor excuse for not having enough sense to be lazy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-07-23 at 16:29 +0200, Jan Ritzerfeld wrote:
You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using grep -v "#" /etc/sysconfig/SuSEfirewall2 to ensure that all options are well-formed (KEY="VALUE"). If so, try to comment out all options and re-add them one by one until the problem is triggered.
As far as I can see, they are all well formed, no "#" appears in the output. I can't simply delete everything, that would be the same as removing the firewall. [...] Actually, I just saw a mistaken line: FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \ ## Type: string ## Default: 192.168.1.11,tcp,ssh \ 192.168.1.1,udp,tftp" I removed the comments in the middle and the error got corrected. I can't understand how they got there :-O
I'm also getting some strange errors, maybe non related:
Jul 23 13:13:16 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61663 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D56B70A5E356) (...).
Hmm, you already experienced such log entries some months ago. :) http://lists.suse.com/archive/suse-security/2006-Apr/0056.html
True enough. But this is the first time I noticed them appearing in the log at the same time as I clicked somewhere, ie, repeatable. And previously it was 9.3, now it is 10.1 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEw8ewtTMYHG2NR9URAu8MAJ0QdCCxQ4Z7zqL1UGcu6QyXASnVqgCdGecT pLVnshV25RHrw+zQoj9NLFA= =TTJa -----END PGP SIGNATURE-----
Am Sonntag, 23. Juli 2006 21:01 schrieb Carlos E. R.:
The Sunday 2006-07-23 at 16:29 +0200, Jan Ritzerfeld wrote:
You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using grep -v "#" /etc/sysconfig/SuSEfirewall2 to ensure that all options are well-formed (KEY="VALUE"). If so, try to comment out all options and re-add them one by one until the problem is triggered.
As far as I can see, they are all well formed, no "#" appears in the output. (...).
Oops, the regex was somewhat wrong, or useless. grep -v "^#" would have been better.
FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \ ## Type: string ## Default: 192.168.1.11,tcp,ssh \ 192.168.1.1,udp,tftp"
Argh, such lines would be surpressed, regardless which regex you used.
I removed the comments in the middle and the error got corrected. I can't understand how they got there :-O
Does not matter. You found the error. :)
I'm also getting some strange errors, maybe non related:
Jul 23 13:13:16 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=61663 DF PROTO=TCP SPT=24438 DPT=80 WINDOW=2184 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002D56B70A5E356) (...).
Hmm, you already experienced such log entries some months ago. :) http://lists.suse.com/archive/suse-security/2006-Apr/0056.html
True enough. But this is the first time I noticed them appearing in the log at the same time as I clicked somewhere, ie, repeatable.
For me, this kind of errors was repeatable when using "whois" querying a special domain, i.e., a special whois server. But I do not think that these "errors" are harmfull and, so, I just ignore them. BTW, one of the IP addresses appearing in my SW2-OUT-ERRORs is 195.135.221.132, ftp.suse.com ...
And previously it was 9.3, now it is 10.1
AFAIK, there was not much change in the SuSEfirewall2 ... Gruß Jan -- You have taken yourself too seriously.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-07-24 at 10:59 +0200, Jan Ritzerfeld wrote:
FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \ ## Type: string ## Default: 192.168.1.11,tcp,ssh \ 192.168.1.1,udp,tftp"
Argh, such lines would be surpressed, regardless which regex you used.
I removed the comments in the middle and the error got corrected. I can't understand how they got there :-O
Does not matter. You found the error. :)
Well, I'd like to know if I have to blame myself or not ;-) ...
BTW, one of the IP addresses appearing in my SW2-OUT-ERRORs is 195.135.221.132, ftp.suse.com ...
Funny. Yes, we'll have to ignore them, but I'd like to know what is causing them. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFExK3YtTMYHG2NR9URAvxDAJ9F75VZYBpcgD3jw0TaVz9gjoIexwCfet3U 7D92vttr3WemDgz6pz/pPwk= =hb8X -----END PGP SIGNATURE-----
Carlos E. R. wrote:
FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \ ## Type: string ## Default: 192.168.1.11,tcp,ssh \ 192.168.1.1,udp,tftp" Argh, such lines would be surpressed, regardless which regex you used.
I removed the comments in the middle and the error got corrected. I can't understand how they got there :-O Does not matter. You found the error. :)
Well, I'd like to know if I have to blame myself or not ;-)
From older messages on this list, I learned that defining a variable over multiple lines is not allowed in SuSEfirewall (and probably on all configuration files handled by SuSEconfig).
The error you are seeing is due to an update from SuSEfirewall2 (which recreated the conf file) or to a configuration through yast. So, forget using FOO=" \ 1.2.3.4 \ 5.6.7.8 \ " and type FOO="1.2.3.4 5.6.7.8" . Or, don't use yast to edit your FW config and save/check/restore after a SuSEFirewall2 update. Regards, Richard
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-07-24 at 14:43 +0200, Richard Ems wrote:
From older messages on this list, I learned that defining a variable over multiple lines is not allowed in SuSEfirewall (and probably on all configuration files handled by SuSEconfig).
The error you are seeing is due to an update from SuSEfirewall2 (which recreated the conf file) or to a configuration through yast.
So, forget using
FOO=" \ 1.2.3.4 \ 5.6.7.8 \ "
and type
FOO="1.2.3.4 5.6.7.8" .
Actually, I had: FOO=" 1.2.3.4 \ ## coment ## coment 5.6.7.8 \ It was the comments in the middle that were giving problems, not the multiline difinition - which must work, it is standard script syntax. What I don't understand is how those comments got in there. It could be the updated from 9.3 to 10.1 process, or it could be my thick hands.
Or, don't use yast to edit your FW config
I never do, I edit the file directly.
and save/check/restore after a SuSEFirewall2 update.
- -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFExSugtTMYHG2NR9URAs3WAJ44QJzi6ORV8si5JixCqXE3mXhAnACdEVcb Pft/NRdH+nhTtdVKwES+CLU= =95e9 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
Actually, I had:
FOO=" 1.2.3.4 \ ## coment ## coment 5.6.7.8 \
It was the comments in the middle that were giving problems, not the multiline difinition - which must work, it is standard script syntax. What I don't understand is how those comments got in there. It could be the updated from 9.3 to 10.1 process, or it could be my thick hands.
The comments got in through yast or SuSEconfig, because of the multiline definition o the variable FOO!
Hello, Am Montag, 24. Juli 2006 14:43 schrieb Richard Ems: [...]
From older messages on this list, I learned that defining a variable over multiple lines is not allowed in SuSEfirewall (and probably on all configuration files handled by SuSEconfig).
So, forget using
FOO=" \ 1.2.3.4 \ 5.6.7.8 \ "
SuSEfirewall (better: its YaST2 module) was just fixed to allow multiline entries - this will go into 10.2 and Factory. However, I don't recommend to use the backslashes ;-) Regards, Christian Boltz -- Since 1997 we are VERP-DoSing mail servers all over the world [Henne Vogelsang in opensuse about lists.suse.com]
participants (4)
-
Carlos E. R.
-
Christian Boltz
-
Jan Ritzerfeld
-
Richard Ems