You are not logged in.
I wanted to try shorewall.
I installed it with pacman:
$ pacman -Q shorewall
shorewall 4.6.1.2-1I chose the Universal configuration, copying the corresponding files to /etc/shorewall.
When I try to start it by 'systemctl start shorewall.service', it fails with:
juin 25 17:54:24 arch64 systemd[1]: Starting Shorewall IPv4 firewall...
juin 25 17:54:24 arch64 shorewall[24056]: Compiling...
juin 25 17:54:24 arch64 shorewall[24056]: Processing /etc/shorewall/params ...
juin 25 17:54:24 arch64 shorewall[24056]: Processing /etc/shorewall/shorewall.conf...
juin 25 17:54:24 arch64 shorewall[24056]: Loading Modules...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /etc/shorewall/zones...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /etc/shorewall/interfaces...
juin 25 17:54:25 arch64 shorewall[24056]: Determining Hosts in Zones...
juin 25 17:54:25 arch64 shorewall[24056]: Locating Action Files...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /etc/shorewall/policy...
juin 25 17:54:25 arch64 shorewall[24056]: Running /etc/shorewall/initdone...
juin 25 17:54:25 arch64 shorewall[24056]: Adding rules for DHCP
juin 25 17:54:25 arch64 shorewall[24056]: Compiling TCP Flags filtering...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling Kernel Route Filtering...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling Martian Logging...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling MAC Filtration -- Phase 1...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /etc/shorewall/rules...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /etc/shorewall/conntrack...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling MAC Filtration -- Phase 2...
juin 25 17:54:25 arch64 shorewall[24056]: Applying Policies...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /usr/share/shorewall/action.Drop for chain Drop...
juin 25 17:54:25 arch64 shorewall[24056]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
juin 25 17:54:25 arch64 shorewall[24056]: Generating Rule Matrix...
juin 25 17:54:25 arch64 shorewall[24056]: Optimizing Ruleset...
juin 25 17:54:25 arch64 shorewall[24056]: Can't use string ("filter") as a HASH ref while "strict refs" in use at /usr/share/shorewall/Chains.pm line 3486.
juin 25 17:54:25 arch64 shorewall[24056]: /bin/sh: /var/lib/shorewall/.start: Aucun fichier ou dossier de ce type
juin 25 17:54:25 arch64 shorewall[24056]: /bin/sh: /var/lib/shorewall/.start: Aucun fichier ou dossier de ce type
juin 25 17:54:25 arch64 systemd[1]: shorewall.service: main process exited, code=exited, status=127/n/a
juin 25 17:54:25 arch64 systemd[1]: Failed to start Shorewall IPv4 firewall.
juin 25 17:54:25 arch64 systemd[1]: Unit shorewall.service entered failed state.I am unable to understand and fix this issue.
Can someone help me please?
Edit: changed the title of the thread.
Last edited by berbae (2014-08-22 12:33:58)
Offline
Does the Universal configuration work in Shorewall?
Does someone use it as is?
In the 'zones' sample file, there is a 'ip' type for the 'net' zone which is not documented...
And the other files are rather different from the ones in the 'one-interface' sample files.
But at the Shorewall site, they say to use the Universal configuration for newer shorewall versions...
I am stump with this firewall tool.
I also tried to use fireHOL; it works, but it flushes the systemd journal with 60 useless lines/hour:
juin 25 14:55:45 arch64 kernel: IN-unknown:IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:25:15:16:f8:74:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=19776 PROTO=2
juin 25 14:55:45 arch64 kernel: IN-unknown:IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:25:15:16:f8:74:08:00 SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=19777 PROTO=2I tried to change the log options inside the conf file and from the systemd service file, but nothing prevented the flushing of the journal.
So I cannot use it either for now.
I stick to the 'arno-iptables-firewall' AUR package, but I am annoyed by the gpg unsigned source of it, and seemingly not providing any checksums...
Offline
I'm experiencing the same issue:
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Generating Rule Matrix...
Optimizing Ruleset...
Can't use string ("filter") as a HASH ref while "strict refs" in use at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
/bin/sh: /var/lib/shorewall/.start: No such file or directory
/bin/sh: /var/lib/shorewall/.start: No such file or directory
Last edited by gmas (2014-07-27 01:30:40)
Offline
I got the real fix from user Omache on #shorewall:
Omache | that failure is caused by Perl 5.20.
Omache | You can work around it by reducing the setting of OPTIMIZE by 8
Omache | So if OPTIMIZE=all or OPTIMIZE=31, set it to 23 and it will work
My dirty hack was to remove 'use strict' from /usr/share/shorewall/Shorewall/Chains.pm.
Offline
Thank you Gmas for sharing this.
Changing 'OPTIMIZE=all' to 'OPTIMIZE=23' (31 - 8) in /etc/shorewall/shorewall.conf suppresses the error at the start of shorewall.service.
I use the Universal configuration where new parameter values are allowed which are not yet documented:
'ip' value of TYPE in the zones file,
'all' value of INTERFACE in the interfaces file,
maybe others...
Without any other problem, I think I will switch to this firewall tool from the 'arno-iptables-firewall' AUR package.
Offline
The shorewall 4.6.2.3 updated release provides a definitive fix to this issue; so 'OPTIMIZE=all' can be used again with Perl 5.20 now.
Offline
Since shorewall 4.6.2.5 the 'interfaces' file of the Universal configuration doesn't work anymore:
août 19 16:14:09 arch64 shorewall[572]: Shorewall configuration compiled to /var/lib/shorewall/.start
août 19 16:14:09 arch64 shorewall[572]: Starting Shorewall....
août 19 16:14:10 arch64 shorewall[572]: ERROR: No network interface available: Firewall state not changed
août 19 16:14:10 arch64 shorewall[572]: [112B blob data]
août 19 16:14:10 arch64 systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a
août 19 16:14:10 arch64 systemd[1]: Failed to start Shorewall IPv4 firewall.
août 19 16:14:10 arch64 systemd[1]: Unit shorewall.service entered failed state.The compiling stage worked but the generated script didn't.
I identified the problem to be the usage of the '+' wildcard character in the 'physical' option value of the 'interfaces' file:
...
#ZONE INTERFACE OPTIONS
- lo ignore
net all dhcp,physical=+,routeback,optionalAs I have only one interface 'eth0', I don't need to use a wildcard character and the 'all' value, so I changed the file to:
...
#ZONE INTERFACE OPTIONS
- lo ignore
net eth0 dhcp,routeback,optionalAnd the firewall works again after that change.
It's certainly a regression bug introduced in the new releases.
I changed the title of the thread
from:
Newly installed shorewall fails to start
to:
shorewall Universal configuration fails to start
Last edited by berbae (2014-08-22 14:59:46)
Offline