I'm using my internet connected PC to share the connections to my second computer. The internet connected PC runs a shorewall firewall and is doing masqerading. The configuration so far works fine with one exception: When I try to access a service on my local PC (192.168.0.2) which is not allowed at the firewall (only tested with ftp and vnc so far) my kernel (gentoo-sources-2.4.20-r2) panics. A screenshot of the panic is available at http://files.mospheira.net/gentoo_kernel_panic.jpg This problem does not occur with vanilla-sources-2.4.20 or ac-sources-2.4.21_rc1-r2 (I'm using this one now). Best regards, -Markus- Reproducible: Always Steps to Reproduce: 1.Start with Gentoo kernel gentoo-sources-2.4.20-r2 2.Start shorewall (with no rule to allow ftp access from fw to loc) 3.Try ftp to local machine (from 192.168.0.1=fw to 192.168.0.2=loc) Actual Results: Kernel panic immediatley Expected Results: Deny ftp access (drop) and log info to /var/log/messages mb1 root # emerge info Portage 2.0.47-r10 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.21-rc1-ac2 i686 Intel(R) Pentium(R) 4 CPU 1500MHz GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://212.219.56.131/sites/www.ibiblio.org/gentoo/ ftp://ftp.easynet.nl/mirror/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://212.219.56.152/sites/www.ibiblio.org/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/ http://gentoo.oregonstate.edu/ http://www.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/resources/dists/gentoo/1.4rc2/distfiles" PKGDIR="/resources/dists/gentoo/1.4rc2/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 -3dfx 3dnow aalib -acl -acpi -afs -alsa -apache2 apm arts -atlas avi berkdb bonobo -canna cdr -cjk crypt -cups dga directfb -doc dvd encode esd evo -ev6 fbcon -flash -freewnn gb gd gdbm -ggi -ggz gif gnome gnome-libs gphoto2 gpm gtk2 gtk gtkhtml guile -icc -iccpgo imap imlib innodb -ipv6 java -jikes jpeg -junit kde -kerberos lcms ldap leim -libg++ libgda libwww -matrox maildir mbox mikmod mmx motif mozilla mpeg -mule mysql -nas ncurses nls nocardbus oav -oci8 -odbc oggvorbis opengl -oss pam -pcmcia pda pdflib perl pic plotutils png -postgres python qt qtmt quicktime readline -ruby samba sasl -scanner sdl slang -slp snmp -socks5 spell sse ssl -static svga tcltk tcpd tetex tiff truetype -trusted -voodoo3 -wavelan X xface xml2 xml xmms xv -zeo zlib" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -mcpu=pentium4 -O3 -pipe -fomit-frame-pointer" CXXFLAGS="-march=pentium4 -mcpu=pentium4 -O3 -pipe -fomit-frame-pointer" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="no" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage/" FEATURES="sandbox ccache" mb1 root # shorewall version 1.4.2 mb1 root # tail -27 /etc/shorewall/rules ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ##everything from fw to net ist allowed in the policy file #ACCEPT fw net tcp 53 #ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # # Accept DNS connections to the internal caching nameserver # ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Created attachment 11455 [details] My kernel's config file for gentoo-sources-2.4.20-r2 Added my linux-2.4.20-gentoo-r2 kernel's .config as attachment.
try pfeifer-sources-2.4.20_pre9 as i've reworked iptables to hopefully fix this issue. the quicker i get feedback on this, the quicker i can get pre9 into gentoo-sources as 2.4.20.1-r4 Thanks, Jay
Hi, I tried sys-kernel/pfeifer-sources-2.4.20.1_pre9 and did a fresh emerge of iptables (1.2.8-r1). It worked now. No panic. Will keep using ac-sources-2.4.21_rc1-r2 or vanilla-sources-2.4.20 until the final release of gentoo-sources version 2.4.20.1-r4. Thanks, Markus
thanks for info. from the tests i've done, i figured it was solved. your confirmation helps. closing. Jay