Hello,<br />
<br />
After recent updates (end February 2013) my firewall managed by Shorewall (<a href="http://www.shorewall.net">http://www.shorewall.net</a> [<a href="http://www.shorewall.net" target="_blank">^</a>]) ceased to start.<br />
<br />
When doing:<br />
<br />
service shorewall restart<br />
<br />
the service does not start and I get, in /var/log/messages:<br />
<br />
<br />
Feb 28 17:26:25 mail1 shorewall[6124]: Compiling...<br />
Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/params ...<br />
Feb 28 17:26:25 mail1 shorewall[6124]: Processing /etc/shorewall/shorewall.conf...<br />
Feb 28 17:26:25 mail1 shorewall[6124]: Loading Modules...<br />
Feb 28 17:26:25 mail1 shorewall[6124]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system<br />
Feb 28 17:26:25 mail1 rsandu: ERROR:Shorewall restart failed<br />
<br />
<br />
By googling, it seems to be a SELinux issue:<br />
<br />
<a href="http:<a href="mailto://www.mail-archive.com/shorewall-users@lists.sourceforge.net">//www.mail-archive.com/shorewall-users@lists.sourceforge.net</a>/msg14885.html">http:<a href="mailto://www.mail-archive.com/shorewall-users@lists.sourceforge.net">//www.mail-archive.com/shorewall-users@lists.sourceforge.net</a>/msg14885.html</a> [<a href="http:<a href="mailto://www.mail-archive.com/shorewall-users@lists.sourceforge.net">//www.mail-archive.com/shorewall-users@lists.sourceforge.net</a>/msg14885.html" target="_blank">^</a>]<br />
<br />
<br />
I've solved it by doing a<br />
<br />
touch /.autorelabel; reboot<br />
<br />
but it is pretty nasty, because it may *completely disable* firewwall/Shorewall on an unattended machine, if the machine gets a restart.<br />
<br />
Versions are:<br />
<br />
kernel-2.6.32-358.0.1.el6.x86_64<br />
shorewall-4.5.4-1.el6.noarch (from EPEL)<br />
selinux-policy-targeted-3.7.19-195.el6_4.1.noarch<br />
<br />
<br />
Best regards,<br />
R?zvan
↧