Re: [Fwbuilder-discussion] fwbuilder error?
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] fwbuilder error?
|
From: Vadim K. <va...@vk...> - 2010-07-26 18:49:55
|
On Mon, Jul 26, 2010 at 11:41 AM, Tom Diehl <td...@ro...> wrote: > HI Vadim, > > On Mon, 26 Jul 2010, Vadim Kurland wrote: > >> On Mon, Jul 26, 2010 at 3:36 AM, Tom Diehl <td...@ro...> wrote: >>> >>> On Sun, 25 Jul 2010, Vadim Kurland wrote: >>> >>>> On Sun, Jul 25, 2010 at 5:08 AM, Tom Diehl <td...@ro...> wrote: >>>>> >>>>> Hi Vadim, >>>>> >>>>> >>>>> On Sat, 24 Jul 2010, Vadim Kurland wrote: >>>>> >>>>>> Hi Tom, >>>>>> >>>>>> "filter" and "mangle" are internal tables in netfilter (iptables). >>>>>> They are exposed to the user commands in a such way that we could not >>>>>> abstract them away completely. It is sometimes necessary to help >>>>>> fwbuilder decide which table rules should go to by choosing one of >>>>>> filter or mangle tables or choosing filter+mangle to let compiler know >>>>>> that it should decide. Some actions can only be done in mangle table >>>>>> (such as assigning a tag, doing routing or classification). >>>>> >>>>> OK, makes sense. >>>>> >>>>>> >>>>>> As for why compiler did not catch this error, the man page for >>>>>> iptables does not actually say that target REJECT is not allowed in >>>>>> table mangle. This must be something new. >>>>> >>>>> Not sure if this behavior is new or not. This is a centos 5.5 machine >>>>> running iptables-1.3.5-5.3.el5_4.1. >>>> >>>> yes, please file a bug and I'll add a check for this situation >>> >>> Bug 3034628 filed. >>> >>> You might want to check the link on http://www.fwbuilder.org/contact.html >>> If I click on the "report a bug" link it goes to an error page on >>> sourceforge. >> >> >> I just tried and did not get the error. What was the url you ended up >> with and what was the error when you used it ? > > It most likely works for you because you have permission. :-) > > The URL is https://sourceforge.net/tracker/?group_id=5314&atid=1070394 this is wrong url, the link on our site must be broken. Where is this link ? > > and the error is > > Permission Denied > Access to this page is restricted (either to project members or to > project administrators) and you do not meet the requirements to access > this page. Please contact the administrator of this project for further > assistance. > > I get this even when I am logged into sourceforge. > but you managed to open a bug in that tracker somehow. How did you do it if you get this error ? I can see this page (following link "Report bug") even when I am not logged in. The link leads to the page https://sourceforge.net/tracker2/?group_id=5314&atid=1129518 --vk > > Regards, > > Tom > >> >> >>> >>>> >>>> >>>>> >>>>> Do you want me to file a bug? >>>>> >>>>>> Here are some chapters from the Users Guide that either talk or just >>>>>> mention mangle table: >>>>>> >>>>>> http://www.fwbuilder.org/4.0/docs/users_guide/action.html >>>>>> http://www.fwbuilder.org/4.0/docs/users_guide/ch08s02s08.html >>>>>> http://www.fwbuilder.org/4.0/docs/users_guide/tag-rules.html >>>>> >>>>> Thanks for the references. >>>>> >>>>> On a different subject, is there a limit to how many objects can be in >>>>> a >>>>> group? >>>>> I have a group that contains 157 objects and I would like to know at >>>>> what >>>>> point >>>>> this is going to be a problem if at all. I expect this group to >>>>> continue >>>>> to >>>>> grow >>>>> as it is a list of net blocks that I do not allow traffic from. >>>> >>>> there is no limit per se, you should be able to stick as many objects >>>> into a group as you want. >>>> >>>> At the same time, you may find Address Table object more convenient to >>>> work with because it takes ip addresses from an external file and can >>>> do it at compile time or run time. >>> >>> I did know I could do that. Thanks. >>> >> >> >> http://www.fwbuilder.org/4.0/docs/users_guide/address-table-object.html >> >> the upcoming new version of fwbuilder will have support for iptables >> module ipset that is probably the best way to match against large >> lists of ip addresses in iptables performance-wise. Support for this >> module is done via run-time Address Table object >> >> --vk >> >> >>> >>> Tom >>> >>>>> >>>>> Regards, >>>>> >>>>> Tom Diehl td...@ro... Spamtrap address >>>>> mt...@ro... >>>>> >>>>>> >>>>>> --vk >>>>>> >>>>>> >>>>>> On Sat, Jul 24, 2010 at 8:38 PM, Tom Diehl <td...@ro...> >>>>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a firewall ruleset that I have been running for a number of >>>>>>> years. >>>>>>> Today >>>>>>> I added a new network to it, recompiled the rules and attempted to >>>>>>> reload >>>>>>> the rules. >>>>>>> >>>>>>> To my surprise as the rules were loading I saw the errors below and I >>>>>>> was >>>>>>> locked >>>>>>> out of the router, despite having always permit ssh traffic from the >>>>>>> management >>>>>>> workstation checked and configured with the proper address. Upon >>>>>>> gaining >>>>>>> access >>>>>>> to the router I saw that there were only 3 or 4 rules loaded into >>>>>>> iptables and they >>>>>>> were all drop rules. >>>>>>> >>>>>>> This ruleset has about 60 policy rules and about as many nat rules in >>>>>>> it. >>>>>>> >>>>>>> The output of the installer was as follows: >>>>>>> >>>>>>> Rule 17 (global) >>>>>>> iptables: Unknown error 18446744073709551615 >>>>>>> Rule 18 (global) >>>>>>> >>>>>>> In the syslog I have the following: >>>>>>> >>>>>>> ip_tables: REJECT target: only valid in filter table, not mangle >>>>>>> >>>>>>> Rule 17 (global) has been in this ruleset forever. It simply says >>>>>>> any external auth TCP RST. >>>>>>> >>>>>>> After doing some more investigation, I found that in the policy >>>>>>> editor >>>>>>> there >>>>>>> is a check box that says "top ruleset" and a selection below that >>>>>>> says >>>>>>> "filter+mangle table" and another selection that says "mangle table". >>>>>>> Somehow >>>>>>> "mangle table" was selected. In looking at previous versions (thank >>>>>>> you >>>>>>> for RCS) >>>>>>> I saw that "filter+mangle" table was selected. Selecting >>>>>>> filter+mangle >>>>>>> table >>>>>>> recompiling got things working again. >>>>>>> >>>>>>> Since I do not understand what these settings do and I am the only >>>>>>> person >>>>>>> who >>>>>>> makes changes to this firewall, I am still trying to figure out how >>>>>>> this >>>>>>> got >>>>>>> changed. >>>>>>> >>>>>>> In addition, I do not understand why fwb is generating rules that >>>>>>> iptables >>>>>>> says are illegal. Shouldn't the compiler put up an error? >>>>>>> >>>>>>> I am running build 3050. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> -- >>>>>>> Tom Diehl td...@ro... Spamtrap address >>>>>>> mt...@ro... >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> This SF.net email is sponsored by Sprint >>>>>>> What will you do first with EVO, the first 4G phone? >>>>>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>>>>> _______________________________________________ >>>>>>> Fwbuilder-discussion mailing list >>>>>>> Fwb...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>>>> >>>>>> >>>>> >>>>> -- >>>> >>> >>> -- >>> Tom Diehl td...@ro... Spamtrap address >>> mt...@ro... >> > > -- > Tom Diehl td...@ro... Spamtrap address > mt...@ro... |