PGP SIGNED MESSAGE
Hash: SHA1
When I start the computer or run SuSEfirewall2 I get some weird errors:
nimrodel:~ # SuSEfirewall2
SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2
SuSEfirewall2: Firewall customary rules loaded from /
SuSEfirewall2: batch committing
iptables-batch v1.3.5: host/network `##' not found
Try `iptables-batch -h' or 'iptables-batch ' for more information.
SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
iptables v1.3.5: host/network `##' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `##' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `Type:' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `Type:' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `string' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `string' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `##' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `##' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `Default:' not found
Try `iptables -h' or 'iptables ' for more information.
iptables v1.3.5: host/network `Default:' not found
Try `iptables -h' or 'iptables ' for more information.
SuSEfirewall2: Firewall rules successfully set
nimrodel:~ # rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 running
nimrodel:~ #
I worry about the "not found" errors. How do I find out what is the exact
problem? A bug of mine or of SuSE? It does not report the problematic file
or line.
The configuration is the same I had with 9.3, and it worked with no
errors, AFAIK.
I'm also getting some strange errors, maybe non related:
Jul 23 13:13:16 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61663 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN URGP=0
PT (0101080A0002D56B70A5E356)
Jul 23 13:13:18 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61664 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN URGP=0
PT (0101080A0002D6D370A5E356)
Jul 23 13:13:21 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61665 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN URGP=0
PT (0101080A0002D9A370A5E356)
Jul 23 13:13:38 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61667 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN URGP=0
PT (0101080A0002EA8370A5E356)
The remote IP is ftp.gwdg.de. They occur when starting or closing YU.
- --
Cheers,
Carlos Robinson
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76
/qdeTyTRVC93TcoQ=
=ENV8
PGP SIGNATURE

Am Sonntag, 23. Juli 2006 13:17 schrieb Carlos E. R.:

I've trimmed your error messages:

iptables v1.3.5: host/network `##' not found
iptables v1.3.5: host/network `Type:' not found
iptables v1.3.5: host/network `string' not found
iptables v1.3.5: host/network `##' not found
iptables v1.3.5: host/network `Default:' not found

I worry about the "not found" errors. How do I find out what is the exact
problem?

Have a look at your /etc/sysconfig/SuSEfirewall2, e.g.:
## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
## Default: any

, parts of a comment get passed to iptables-batch/iptables.

A bug of mine or of SuSE? It does not report the problematic
file or line.

SuSEfirewall2 does not recognize that error and, thus, silently passing
wrong parameters. Then, iptables-batch/iptables complains about them.

The configuration is the same I had with 9.3, and it worked with no
errors, AFAIK.

You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using
grep -v "#" /etc/sysconfig/SuSEfirewall2
to ensure that all options are well-formed (KEY="VALUE"). If so, try to
comment out all options and re-add them one by one until the problem is
triggered.

I'm also getting some strange errors, maybe non related:

Jul 23 13:13:16 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61663 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN
URGP=0 PT (0101080A0002D56B70A5E356)
().

Hmm, you already experienced such log entries some months ago. :)

G
Jan

PGP SIGNED MESSAGE
Hash: SHA1

The Sunday 2006-07-23 at 16:29 +0200, Jan Ritzerfeld wrote:

You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using
grep -v "#" /etc/sysconfig/SuSEfirewall2
to ensure that all options are well-formed (KEY="VALUE"). If so, try to
comment out all options and re-add them one by one until the problem is
triggered.

As far as I can see, they are all well formed, no "#" appears in the
output. I can't simply delete everything, that would be the same as
removing the firewall.

[]

Actually, I just saw a mistaken line:

FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \
## Type: string
## Default:
192.168.1.11,tcp,ssh \
192.168.1.1,udp,tftp"

I removed the comments in the middle and the error got corrected. I can't
understand how they got there :

I'm also getting some strange errors, maybe non related:

Jul 23 13:13:16 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61663 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN
URGP=0 PT (0101080A0002D56B70A5E356)
().

Hmm, you already experienced such log entries some months ago. :)

True enough. But this is the first time I noticed them appearing in the
log at the same time as I clicked somewhere, ie, repeatable. And
previously it was 9.3, now it is 10.1

- --
Cheers,
Carlos E. R.

PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

pLVnshV25RHrw+zQoj9NLFA=
=TTJa
PGP SIGNATURE

Am Sonntag, 23. Juli 2006 21:01 schrieb Carlos E. R.:

The Sunday 2006-07-23 at 16:29 +0200, Jan Ritzerfeld wrote:
You should check your /etc/sysconfig/SuSEfirewall2. E.g., by using
grep -v "#" /etc/sysconfig/SuSEfirewall2
to ensure that all options are well-formed (KEY="VALUE"). If so, try to
comment out all options and re-add them one by one until the problem is
triggered.

As far as I can see, they are all well formed, no "#" appears in the
output. ().

, the regex was somewhat wrong, or useless. grep -v "^#" would have been
better.

FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \
## Type: string
## Default:
192.168.1.11,tcp,ssh \
192.168.1.1,udp,tftp"

Argh, such lines would be surpressed, regardless which regex you used.

I removed the comments in the middle and the error got corrected. I can't
understand how they got there :

Does not matter. You found the error. :)

I'm also getting some strange errors, maybe non related:

Jul 23 13:13:16 nimrodel kernel: SFWUT-ERRR IN= UT=eth0
SRC=192.168.1.12 DST=134.76.11.100 LEN=52 TS=0x00 PREC=0x00 TTL=64
ID=61663 DF PRT=TCP SPT=24438 DPT=80 WINDW=2184 RES=0x00 ACK FIN
URGP=0 PT (0101080A0002D56B70A5E356)
().

Hmm, you already experienced such log entries some months ago. :)

True enough. But this is the first time I noticed them appearing in the
log at the same time as I clicked somewhere, ie, repeatable.

For me, this kind of errors was repeatable when using "whois" querying a
special domain, i.e., a special whois server. But I do not think that these
"errors" are harmfull and, so, I just ignore them.
BTW, one of the IP addresses appearing in my SWUT-ERRRs is
195.135.221.132, ftp.suse.com

And previously it was 9.3, now it is 10.1

AFAIK, there was not much change in the SuSEfirewall2

G
Jan

PGP SIGNED MESSAGE
Hash: SHA1

The Monday 2006-07-24 at 10:59 +0200, Jan Ritzerfeld wrote:

FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \
## Type: string
## Default:
192.168.1.11,tcp,ssh \
192.168.1.1,udp,tftp"

Argh, such lines would be surpressed, regardless which regex you used.

I removed the comments in the middle and the error got corrected. I can't
understand how they got there :

Does not matter. You found the error. :)

Well, I'd like to know if I have to blame myself or not ;-)

BTW, one of the IP addresses appearing in my SWUT-ERRRs is
195.135.221.132, ftp.suse.com

Funny. Yes, we'll have to ignore them, but I'd like to know what is
causing them.
- --
Cheers,
Carlos E. R.

PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

7D92vttr3WemDgz6pz/pPwk=
=hb8X
PGP SIGNATURE

Carlos E. R. wrote:

FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data \
## Type: string
## Default:
192.168.1.11,tcp,ssh \
192.168.1.1,udp,tftp"
>Argh, such lines would be surpressed, regardless which regex you used.
>>
I removed the comments in the middle and the error got corrected. I can't
understand how they got there :
>Does not matter. You found the error. :)

Well, I'd like to know if I have to blame myself or not ;-)

From older messages on this list, I learned that defining a variable
over multiple lines is not allowed in SuSEfirewall (and probably on all
configuration files handled by SuSEconfig).

The error you are seeing is due to an update from SuSEfirewall2 (which
recreated the conf file) or to a configuration through yast.

So, forget using

F=" \
1.2.3.4 \
5.6.7.8 \
"

and type

F="1.2.3.4 5.6.7.8" .

, don't use yast to edit your FW config and save/check/restore after a
SuSEFirewall2 update.

Regards, Richard

PGP SIGNED MESSAGE
Hash: SHA1

The Monday 2006-07-24 at 14:43 +0200, Richard Ems wrote:

>From older messages on this list, I learned that defining a variable
over multiple lines is not allowed in SuSEfirewall (and probably on all
configuration files handled by SuSEconfig).

The error you are seeing is due to an update from SuSEfirewall2 (which
recreated the conf file) or to a configuration through yast.

So, forget using

F=" \
1.2.3.4 \
5.6.7.8 \
"

and type

F="1.2.3.4 5.6.7.8" .

Actually, I had:

F=" 1.2.3.4 \
## coment
## coment
5.6.7.8 \

It was the comments in the middle that were giving problems, not the
multiline difinition - which must work, it is standard script syntax. What
I don't understand is how those comments got in there. It could be the
updated from 9.3 to 10.1 process, or it could be my thick hands.

, don't use yast to edit your FW config

I never do, I edit the file directly.

and save/check/restore after a
SuSEFirewall2 update.
- --
Cheers,
Carlos E. R.
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

Pft/NRdH+nhTtdVKwES+CLU=
=95e9
PGP SIGNATURE

Hello,

Am Montag, 24. Juli 2006 14:43 schrieb Richard Ems:
[]
From older messages on this list, I learned that defining a variable
over multiple lines is not allowed in SuSEfirewall (and probably on
all configuration files handled by SuSEconfig).

So, forget using

F=" \
1.2.3.4 \
5.6.7.8 \
"

SuSEfirewall (better: its YaST2 module) was just fixed to allow
multiline entries - this will go into 10.2 and Factory.

However, I don't recommend to use the backslashes ;-)

Regards,

Christian Boltz

Carlos E. R. wrote:
Actually, I had:

F=" 1.2.3.4 \
## coment
## coment
5.6.7.8 \

It was the comments in the middle that were giving problems, not the
multiline difinition - which must work, it is standard script syntax. What
I don't understand is how those comments got in there. It could be the
updated from 9.3 to 10.1 process, or it could be my thick hands.

The comments got in through yast or SuSEconfig, because of the multiline
definition o the variable F!