You are not logged in.

#1 2016-11-06 09:02:32

jancici
Member
From: svk
Registered: 2011-12-04
Posts: 190

[SOLVED] shorewall is not starting

I am trying to configure home router with 3 interfaces:
#1 connection to internet {interface name brana}
#2 local wired network {interface name lokalka}
#3 local wifi network {interface name wifina}

I am following https://wiki.archlinux.org/index.php/Shorewall so did copy those Sample file. Later I did remove empty files. Here is the list of file

la /etc/shorewall 
total 60
drwxr-xr-x  2 root root 4096 Nov  5 22:18 .
drwxr-xr-x 44 root root 4096 Nov  5 20:35 ..
-rw-r--r--  1 root root 1009 Nov  5 21:54 interfaces
-rw-r--r--  1 root root  463 Oct 26 18:13 Makefile
-rw-r--r--  1 root root  840 Nov  5 22:13 masq
-rw-r--r--  1 root root  623 Oct 26 18:13 params
-rw-r--r--  1 root root  839 Nov  5 21:29 policy
-rw-r--r--  1 root root 1138 Nov  5 20:52 README.txt
-rw-r--r--  1 root root 2131 Nov  5 21:58 rules
-rw-r--r--  1 root root  303 Oct 26 18:13 scfilter
-rw-r--r--  1 root root 5427 Nov  5 22:00 shorewall.conf
-rw-r--r--  1 root root  332 Oct 26 18:13 start
-rw-r--r--  1 root root  814 Nov  5 21:40 stoppedrules
-rw-r--r--  1 root root  751 Nov  5 21:20 zones

I am starting shorewall from console and getting output just one character "y" in loop:

shorewall compile
...
...
...
...
y
y
y
y
y
y

here is cat of my configuration files

cat /etc/shorewall/*                                                                                                      :(
#
# Shorewall - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE	INTERFACE	OPTIONS
net     brana           tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
loc     lokalka         tcpflags,dhcp,nosmurfs,routefilter,logmartians
dmz     wifina          tcpflags,dhcp,nosmurfs,routefilter,logmartians
#
# Shorewall -- /etc/shorewall/Makefile
#
# Reload Shorewall if config files are updated.

SWBIN	?= /sbin/shorewall -q
CONFDIR	?= /etc/shorewall
SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall

.PHONY: clean

$(SWSTATE): $(CONFDIR)/*
	@$(SWBIN) save >/dev/null; \
	RESULT=$$($(SWBIN) reload 2>&1); \
	if [ $$? -eq 0 ]; then \
	    $(SWBIN) save >/dev/null; \
	else \
	    echo "$${RESULT}" >&2; \
	    false; \
	fi

clean:
	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
#
# Shorewall - Sample Masq file for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-masq"
################################################################################################################
#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
#											GROUP		DEST

brana			192.168.42.0/24,\
			192.168.43.0/24
#
# Shorewall -- /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
#	NET_IF=eth0
#	NET_BCAST=130.252.100.255
#	NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
#	net	$NET_IF		$NET_BCAST	$NET_OPTIONS
#
# The result will be the same as if the record had been written
#
#	net	eth0		130.252.100.255	routefilter,norfc1918
#
###############################################################################
#
# Shorewall - Sample Policy File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

$FW		net		ACCEPT

loc		net		ACCEPT
dmz		net		ACCEPT

net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
For instructions on using these sample configurations, please see

http://www.shorewall.net/three-interface.htm

    Shorewall Samples
    Copyright (C) 2006-2015 by the following authors:
	Thomas M. Eastep
	Paul D. Gear
	Cristian Rodriguez
	Francesca Smith

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
    02110-1301  USA


Sample files are licensed under the LGPL, please see the LICENSE file or
http://www.gnu.org/licenses/lgpl.html for more details.

#
# Shorewall - Sample Rules File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp
#
#	Accept DNS connections from the firewall to the Internet
#
DNS(ACCEPT)	$FW		net
#
#
#	Accept SSH connections from the local network to the firewall and DMZ
#
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             dmz
#
#	DMZ DNS access to the Internet
#
#DNS(ACCEPT)	dmz		net


# Drop Ping from the "bad" net zone.

Ping(DROP)   	net             $FW

#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#

Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    dmz             $FW
Ping(ACCEPT)    loc             dmz
Ping(ACCEPT)    dmz             loc
Ping(ACCEPT)    dmz             net
Ping(ACCEPT)    loc             net

ACCEPT		$FW		net		icmp
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		dmz		icmp

# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

#Ping(ACCEPT)    net             dmz
#Ping(ACCEPT)    net             loc
#
# Shorewall -- /etc/shorewall/scfilter
#
# Replace the 'cat' command below to filter the output of
# 'show connections'.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################

cat -
###############################################################################
#
# Shorewall - Sample shorewall.conf for three-interface
#                         configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
STARTUP_ENABLED=Yes

###############################################################################
#		              V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#			        P A G E R
###############################################################################

PAGER=

###############################################################################
#			     F I R E W A L L
###############################################################################

FIREWALL=

###############################################################################
#		                L O G G I N G
###############################################################################

BLACKLIST_LOG_LEVEL=
yes
INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

UNTRACKED_LOG_LEVEL=

###############################################################################
#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
###############################################################################

ARPTABLES=

CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

NFACCT=

PERL=/usr/bin/perl

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=

TC=

###############################################################################
#		D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

ACCEPT_DEFAULT="none"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Reject"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'

###############################################################################
#			F I R E W A L L	  O P T I O N S
###############################################################################

ACCOUNTING=Yes

ACCOUNTING_TABLE=filter

ADD_IP_ALIASES=No

ADD_SNAT_ALIASES=No

ADMINISABSENTMINDED=Yes

AUTOCOMMENT=Yes

AUTOHELPERS=Yes

AUTOMAKE=Yes

BASIC_FILTERS=No

BLACKLIST="NEW,INVALID,UNTRACKED"

CHAIN_SCRIPTS=No

CLAMPMSS=Yes

CLEAR_TC=Yes

COMPLETE=No

DEFER_DNS_RESOLUTION=Yes

DISABLE_IPV6=No

DOCKER=No

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DONT_LOAD=

DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=Yes

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK=

HELPERS=

IGNOREUNKNOWNVARIABLES=No

IMPLICIT_CONTINUE=No

INLINE_MATCHES=Yes

IPSET_WARNINGS=Yes

IP_FORWARDING=On

KEEP_RT_TABLES=No

LOAD_HELPERS_ONLY=Yes

MACLIST_TABLE=filter

MACLIST_TTL=

MANGLE_ENABLED=Yes

MAPOLDACTIONS=No

MINIUPNPD=No

MARK_IN_FORWARD_CHAIN=No

MODULE_SUFFIX="ko ko.xz"

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=No

OPTIMIZE=All

OPTIMIZE_ACCOUNTING=No

REJECT_ACTION=

REQUIRE_INTERFACE=No

RESTART=restart

RESTORE_DEFAULT_ROUTE=Yes

RESTORE_ROUTEMARKS=Yes

RETAIN_ALIASES=No

ROUTE_FILTER=Yes

SAVE_ARPTABLES=No

SAVE_IPSETS=No

TC_ENABLED=Internal

TC_EXPERT=No

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=Yes

TRACK_RULES=No

USE_DEFAULT_RT=Yes

USE_PHYSICAL_NAMES=No

USE_RT_NAMES=No

VERBOSE_MESSAGES=Yes

WARNOLDCAPVERSION=Yes

WORKAROUNDS=No

ZERO_MARKS=No

ZONE2ZONE=-

###############################################################################
#			P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

INVALID_DISPOSITION=CONTINUE

MACLIST_DISPOSITION=REJECT

RELATED_DISPOSITION=ACCEPT

RPFILTER_DISPOSITION=DROP

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

UNTRACKED_DISPOSITION=CONTINUE

################################################################################
#			P A C K E T  M A R K  L A Y O U T
################################################################################

TC_BITS=

PROVIDER_BITS=

PROVIDER_OFFSET=

MASK_BITS=

ZONE_BITS=0

#LAST LINE -- DO NOT REMOVE
#
# Shorewall -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started, reloaded or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################

return 0
#
# Shorewall - Sample Stoppedrules File for three-interface configuration.
# Copyright (C) 2012-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-stoppedrules"
###############################################################################
#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
#							PORT(S)		PORT(S)
ACCEPT		lokalka		-
ACCEPT		-		lokalka
ACCEPT		wifina		-
ACCEPT		-		wifina

#
# Shorewall - Sample Zones File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4
dmz	ipv4

any suggestions?
thank for any help / tip ...

Last edited by jancici (2016-11-06 09:46:47)

Offline

#2 2016-11-06 09:46:34

jancici
Member
From: svk
Registered: 2011-12-04
Posts: 190

Re: [SOLVED] shorewall is not starting

ach

I did find a problem in shorewall.conf

###############################################################################
#		                L O G G I N G
###############################################################################

BLACKLIST_LOG_LEVEL=
yes
INVALID_LOG_LEVEL=

I did write  that "yes" there somehow. It should not be there.

Offline

Board footer

Powered by FluxBB