Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Need help setting up Shorewall
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wuya
Apprentice
Apprentice


Joined: 16 Apr 2005
Posts: 195
PostPosted: Tue Feb 28, 2006 7:23 am    Post subject: Need help setting up Shorewall Reply with quote
I am following this tutorial here:

https://forums.gentoo.org/viewtopic-t-308153.html

Currently here:
Quote:

# For 2.6 kernels look under:

Device Drivers --->
Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<*> Connection tracking (required for masq/NAT)
<*> IP Tables Support (required for filtering/masq/NAT)
# Include (<*> not <M>) all options and sub options under IP tables support

My kernel is 2.6.14-gentoo-r5

There is no Networking support, but there is a Network device support. I assume that is what it is meant. And there is no Networking options, or anything close to it.

Here are all the options under Network device support:
Code:

  x x         [*] Network device support                                     x x 
  x x         <M>   Dummy net driver support                                 x x 
  x x         < >   Bonding driver support                                   x x 
  x x         < >   EQL (serial line load balancing) support                 x x 
  x x         < >   Universal TUN/TAP device driver support                  x x 
  x x         < >   General Instruments Surfboard 1000                       x x 
  x x               ARCnet devices  --->                                     x x 
  x x               PHY device support  --->                                 x x 
  x x               Ethernet (10 or 100Mbit)  --->                           x x 
  x x               Ethernet (1000 Mbit)  --->                               x x 
  x x               Ethernet (10000 Mbit)  --->                              x x 
  x x               Token Ring devices  --->                                 x x 
  x x               Wireless LAN (non-hamradio)  --->                        x x 
  x x               Wan interfaces  --->                                     x x 
  x x         [ ]   FDDI driver support                                      x x 
  x x         [ ]   HIPPI driver support (EXPERIMENTAL)                      x x 
  x x         < >   PLIP (parallel port) support                             x x 
  x x         < >   PPP (point-to-point protocol) support                    x x 
  x x         < >   SLIP (serial line) support                               x x 
  x x         [ ]   Fibre Channel driver support                             x x 
  x x         < >   Traffic Shaper (EXPERIMENTAL)                            x x 
  x x         < >   Network console logging support (EXPERIMENTAL) 

What am I suppose to do?
_________________
Linux gentoo 2.6.14-gentoo-r5, Fluxbox
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Tue Feb 28, 2006 7:28 am    Post subject: Re: Need help setting up Shorewall Reply with quote
wuya wrote:
There is no Networking support, but there is a Network device support. I assume that is what it is meant. And there is no Networking options, or anything close to it.


In menuconfig, when you don't find an option, you can use the / key to search. It should be there, though not necessarily under the Network device menu.
Back to top
View user's profile Send private message
wuya
Apprentice
Apprentice


Joined: 16 Apr 2005
Posts: 195
PostPosted: Tue Feb 28, 2006 8:19 am    Post subject: Reply with quote
I used the search in menuconfig, and 'Networking options' is not found. Further help needed.
_________________
Linux gentoo 2.6.14-gentoo-r5, Fluxbox
Back to top
View user's profile Send private message
rsteed
n00b
n00b


Joined: 24 Feb 2006
Posts: 11
PostPosted: Tue Feb 28, 2006 10:05 am    Post subject: Reply with quote
For v2.6.15-gentoo-r1:

Quote:
Networking --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<*> Connection tracking (required for masq/NAT)
<*> IP tables support (required for filtering/masq/NAT)
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Tue Feb 28, 2006 10:21 am    Post subject: Reply with quote
Try searching for a concrete setting (e.g. iptables) rather than the name of the category it is in.

Code:
  ┌──────────────────────────── Search Results ─────────────────────────────┐
  │ Symbol: IP_NF_IPTABLES [=y]                                             │ 
  │ Prompt: IP tables support (required for filtering/masq/NAT)             │ 
  │   Defined at net/ipv4/netfilter/Kconfig:183                             │ 
  │   Depends on: NET && INET && NETFILTER                                  │ 
  │   Location:                                                             │ 
  │     -> Networking                                                       │ 
  │       -> Networking support (NET [=y])                                  │ 
  │         -> Networking options                                           │ 
  │           -> Network packet filtering (replaces ipchains) (NETFILTER [= │ 
  │             -> IP: Netfilter Configuration                              │
  └─────────────────────────────────────────────────────────────────────────┘ 
Back to top
View user's profile Send private message
wuya
Apprentice
Apprentice


Joined: 16 Apr 2005
Posts: 195
PostPosted: Thu Mar 02, 2006 1:33 am    Post subject: Reply with quote
Okay, thank. I found it.

A little off-topic. If I built-in something that doesn't apply to any thing I am planning to use in makeconfig, would it become a security risk factor?

Another thing:

Quote:
If you don't have netfilter compiled into your kernel, then press "y" to add the option,

Sorry for asking stupid questions, but this is my first time trying to set up a secure system.

How would I know if netfilter is compiled into my kernel?

I did a search using the word 'netfilter' and I got some Y and some N answers. So I am not sure if I have it or not. See below for search results.

Code:

  x Symbol: NETFILTER_NETLINK_QUEUE [=n]                                             x 
  x Prompt: Netfilter NFQUEUE over NFNETLINK interface                               x 
  x   Defined at net/netfilter/Kconfig:7                                             x 
  x   Depends on: NET && NETFILTER && NETFILTER_NETLINK                              x 
  x   Location:                                                                      x 
  x     -> Networking                                                                x 
  x       -> Networking support (NET [=y])                                           x 
  x         -> Networking options                                                    x 
  x           -> Network packet filtering (replaces ipchains) (NETFILTER [=y])       x 
  x             -> Netfilter netlink interface (NETFILTER_NETLINK [=n])              x 
  x                                                                                  x 
  x                                                                                  x 
  x Symbol: NETFILTER_NETLINK [=n]                                                   x 
  x Prompt: Netfilter netlink interface                                              x 
  x   Defined at net/netfilter/Kconfig:1   


I read a little further, and would like to know this in advance.

Quote:
Once you've verified that your kernel is configured to use netfilter

How does one verify that the kernel is configured to use netfilter?
_________________
Linux gentoo 2.6.14-gentoo-r5, Fluxbox
Back to top
View user's profile Send private message
wuya
Apprentice
Apprentice


Joined: 16 Apr 2005
Posts: 195
PostPosted: Fri Mar 03, 2006 1:19 pm    Post subject: Reply with quote
Please help a newbie out?
_________________
Linux gentoo 2.6.14-gentoo-r5, Fluxbox
Back to top
View user's profile Send private message
s_bernstein
Apprentice
Apprentice


Joined: 11 Mar 2006
Posts: 172
Location: Bremen, Germany
PostPosted: Thu Mar 30, 2006 11:58 am    Post subject: Reply with quote
The needed settings depend on your network setup, but copied my configuration, which should be working for most cases.

There will be some setting you will probably never need. I'm running my shorewall with connected 8 VLAN, so it's a bit more than the average home user.

Settings in:
-> Networking
-> Networking support
-> Networking options


<*> Packet socket
[*] Packet socket: mmapped IO
<*> Unix domain sockets
<M> IPsec user configuration interface
<M> PF_KEY sockets
[*] TCP/IP networking
[*] IP: multicasting (probably not needed)
[*] IP: advanced router
Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure) (
[*] IP: policy routing (needed if your fw sits between subnets)
[*] IP: use netfilter MARK value as routing key
[*] IP: equal cost multipath
[ ] IP: equal cost multipath with caching support (EXPERIMENTAL)
[*] IP: verbose route monitoring
[ ] IP: kernel level autoconfiguration
<*> IP: tunneling
<*> IP: GRE tunnels over IP
[ ] IP: broadcast GRE over IP
[*] IP: multicast routing (probably not needed)
[*] IP: PIM-SM version 1 support
[*] IP: PIM-SM version 2 support
[ ] IP: ARP daemon support (EXPERIMENTAL)
[*] IP: TCP syncookie support (disabled per default) (needed afaik)
<*> IP: AH transformation
<*> IP: ESP transformation
<*> IP: IPComp transformation
--- IP: tunnel transformation
<*> INET: socket monitoring interface
[ ] TCP: advanced congestion control
IP: Virtual Server Configuration --->
< > The IPv6 protocol
[*] Network packet filtering (replaces ipchains) --->
DCCP Configuration (EXPERIMENTAL) --->
SCTP Configuration (EXPERIMENTAL) --->
< > Asynchronous Transfer Mode (ATM) (EXPERIMENTAL)
<M> 802.1d Ethernet Bridging (probably not needed
<*> 802.1Q VLAN Support (probably not needed)
< > DECnet Support
<M> ANSI/IEEE 802.2 LLC type 2 Support
< > The IPX protocol
< > Appletalk protocol support
< > CCITT X.25 Packet Layer (EXPERIMENTAL)
< > LAPB Data Link Driver (EXPERIMENTAL)
[ ] Frame Diverter (EXPERIMENTAL)
< > Acorn Econet/AUN protocols (EXPERIMENTAL)
< > WAN router
QoS and/or fair queueing --->
Network testing --->



Settings In:
-> Networking
-> Networking support (NET [=y])
-> Networking options
-> Network packet filtering (replaces ipchains) (NETFILTER



--- Network packet filtering (replaces ipchains)
[ ] Network packet filtering debugging
[*] Bridged IP/ARP packets filtering (don't know)
Core Netfilter Configuration --->
IP: Netfilter Configuration --->
Bridge: Netfilter Configuration --->

Settings in: (mostly modules, so it's not wasting memory if not used)
-> Networking
-> Networking support (NET [=y])
-> Networking options
-> Network packet filtering (replaces ipchains) (NETFILTER [=
-> IP: Netfilter Configuration


<*> Connection tracking (required for masq/NAT) (needed on PtP-Internet connections, if connectiong a network)
[*] Connection tracking flow accounting
[*] Connection mark tracking support
[*] Connection tracking events (EXPERIMENTAL)
< > SCTP protocol connection tracking support (EXPERIMENTAL)
<M> FTP protocol support
<M> IRC protocol support
< > NetBIOS name service protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Amanda backup protocol support
< > PPTP protocol support
<M> IP Userspace queueing via NETLINK (OBSOLETE)
<*> IP tables support (required for filtering/masq/NAT)
<M> limit match support
<M> IP range match support
<M> MAC address match support
<M> Packet type match support
<M> netfilter MARK match support
<M> Multiple port match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> DSCP match support
<M> AH/ESP match support
<M> LENGTH match support
<M> TTL match support
<M> tcpmss match support
<M> Helper match support
<M> Connection state match support
<M> Connection tracking match support
<M> Owner match support
<M> Physdev match support
<M> address type match support
<M> realm match support
<M> SCTP protocol match support
< > DCCP protocol match support
<M> comment match support
<M> Connection mark match support
<M> Connection byte/packet counter match support
<M> hashlimit match support
<M> string match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support (OBSOLETE)
<M> TCPMSS target support
< > NFQUEUE Target Support
<M> Full NAT (maybe needed on PtP-Internet connections, if connectiong a network)
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support
< > Basic SNMP-ALG support (EXPERIMENTAL)
<M> Packet mangling (needed)
<M> TOS target support
<M> ECN target support
<M> DSCP target support
<M> MARK target support
<M> CLASSIFY target support
<M> TTL target support
<M> CONNMARK target support
< > CLUSTERIP target support (EXPERIMENTAL)
<M> raw table support (required for NOTRACK/TRACE)
< > NOTRACK target support
<M> ARP tables support
<M> ARP packet filtering
< > ARP payload mangling
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy