I'm installing a new firewall, changing from SuSE to CentOS 4.4. (yum update has been run). Uname = 2.6.9-42.0.8.ELsmp X86_64
We use Shorewall (www.shorewall.net) to generate our firewall -- with multiple ISPs. Shorewall uses "Marking" of packets to keep track of where each TCP/IP packet has come from (which ISP). It needs a bunch of modules that are missing from /lib/modules/1.6.9-42.0.8.ELsmp. Connection Marking is the big problem, but here's a complete list that is missing (as far as I can tell):
ip_conntrack_h323.ko
ip_conntrack_netbios_ns.ko
ip_conntrack_pptp.ko
ip_conntrack_sip.ko
ip_nat_h323.ko
ip_nat_pptp.ko
ip_nat_sip.ko
ip_set_iphash.ko
ip_set_ipmap.ko
ip_set_macipmap.ko
ip_set_portmap.ko
ipt_CLUSTERIP.ko
ipt_connmark.ko
ipt_CONNMARK.ko
ipt_hashlimit.ko
ipt_ipp2p.ko
ipt_policy.ko
ipt_set.ko
ipt_TTL.ko
Not all of these are necessary (like H323 and SIP). As I said, the biggest problem appears to be the connmark/CONNMARK modules.
Where can I get them?
TIA
Where to get ipt_connmark module?
Where to get ipt_connmark module?
Build your own custom kernel from the kernel source rpm file.
http://wiki.centos.org/HowTos/Custom_Kernel
If I may suggest get the vanilla kernel-2.6.12.6 source to build;
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.12.6.tar.bz2
http://wiki.centos.org/HowTos/Custom_Kernel
If I may suggest get the vanilla kernel-2.6.12.6 source to build;
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.12.6.tar.bz2
Re: Where to get ipt_connmark module?
Thanks for the reply.
If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...
Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?
Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?
I guess that doesn't matter so much for a simple firewall.
I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.
If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...
Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?
Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?
I guess that doesn't matter so much for a simple firewall.
I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.
Re: Where to get ipt_connmark module?
[quote]
eraskin wrote:
Thanks for the reply.
If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...
[/quote]
Then wait until CentOS5 is released. Only a few weeks to go BTW
[quote]
Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?
[/quote]
Neither will overwrite any kernel if done properly. It is never a good idea to update a kernel anyhow, it is best to install a new kernel, yum normally does an install for a new kernel leaving the older kernels intact. Up2date by default never downloads and updates a kernel anyhow, you have to specifically tell it to install a kernel update.
up2date -i kernel-2.6.9-XXXXX
[quote]
Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?
I guess that doesn't matter so much for a simple firewall.
I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.[/quote]
Depends if you rebuild a kernel from the kernel source suppied by Red Hat / CentOS then you will have a custom Red Hat / CentOS kernel based on the same source. True it is not a standard kernel but it is based on the same source. If you build a vanilla kernel then no it is a custom kernel that you made. Where do you think Red Hat / CentOS get the kernel source and backports from anyhow???
Yes, if you want the new modules you have to rebuild/build you own custom kernel. I build my own kernels for reasons similar to yours, I want my hardware and system to work and be secure. I'm also currently a little ahead of the game;
$ cat /etc/*release
Scientific Linux SL release 5.0 (Boron)
(a RHEL5 100% binary compatible clone of RHEL5Beta2 with many updates installed)
Like I said, I build my own custom kernel;
$ uname -a
Linux Aspire5000 2.6.20-git10 #1 Wed Feb 14 14:09:59 EST 2007 x86_64 x86_64 x86_64 GNU/Linux
eraskin wrote:
Thanks for the reply.
If I do this, then I can't use up2date or yum to stay current with kernels, right? I'll have to build my own from now on, which isn't the best solution...
[/quote]
Then wait until CentOS5 is released. Only a few weeks to go BTW
[quote]
Moreover, how can I make sure that yum/up2date don't overwrite my custom kernel?
[/quote]
Neither will overwrite any kernel if done properly. It is never a good idea to update a kernel anyhow, it is best to install a new kernel, yum normally does an install for a new kernel leaving the older kernels intact. Up2date by default never downloads and updates a kernel anyhow, you have to specifically tell it to install a kernel update.
up2date -i kernel-2.6.9-XXXXX
[quote]
Lastly, by doing this, I'll no longer be running a RHEL4 kernel, right?
I guess that doesn't matter so much for a simple firewall.
I think the answers to these questions are probably obvious -- I just want to understand all the ramifications before I go this route.[/quote]
Depends if you rebuild a kernel from the kernel source suppied by Red Hat / CentOS then you will have a custom Red Hat / CentOS kernel based on the same source. True it is not a standard kernel but it is based on the same source. If you build a vanilla kernel then no it is a custom kernel that you made. Where do you think Red Hat / CentOS get the kernel source and backports from anyhow???
Yes, if you want the new modules you have to rebuild/build you own custom kernel. I build my own kernels for reasons similar to yours, I want my hardware and system to work and be secure. I'm also currently a little ahead of the game;
$ cat /etc/*release
Scientific Linux SL release 5.0 (Boron)
(a RHEL5 100% binary compatible clone of RHEL5Beta2 with many updates installed)
Like I said, I build my own custom kernel;
$ uname -a
Linux Aspire5000 2.6.20-git10 #1 Wed Feb 14 14:09:59 EST 2007 x86_64 x86_64 x86_64 GNU/Linux
Re: Where to get ipt_connmark module?
Thanks! I appreciate the help.
I guess we'll build a custom vanilla kernel. We're paying for two ISPs but only using one right now! ;-)
I guess we'll build a custom vanilla kernel. We're paying for two ISPs but only using one right now! ;-)
Re: Where to get ipt_connmark module?
Hi there...
I need connmark so I installed the vanilla kernel (2.6.12.6) on my CentOS release 4.5
lsmod shows:
ip_conntrack_tftp 8464 1 ip_nat_tftp
ip_conntrack_irc 76176 1 ip_nat_irc
ip_conntrack_ftp 77200 1 ip_nat_ftp
ip_conntrack_amanda 74272 1 ip_nat_amanda
iptable_nat 27572 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda
ip_conntrack 49000 15 ipt_state,ipt_NOTRACK,ipt_MASQUERADE,ipt_helper,ipt_conntrack,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda,iptable_nat
But shorewall reports:
CONNMARK Target: Not available
Connmark Match: Not available
What is missing??? Should I change iptables too??? If so, is there an easy and secure way of achieving this?
Thanks!!!!
I need connmark so I installed the vanilla kernel (2.6.12.6) on my CentOS release 4.5
lsmod shows:
ip_conntrack_tftp 8464 1 ip_nat_tftp
ip_conntrack_irc 76176 1 ip_nat_irc
ip_conntrack_ftp 77200 1 ip_nat_ftp
ip_conntrack_amanda 74272 1 ip_nat_amanda
iptable_nat 27572 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda
ip_conntrack 49000 15 ipt_state,ipt_NOTRACK,ipt_MASQUERADE,ipt_helper,ipt_conntrack,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda,iptable_nat
But shorewall reports:
CONNMARK Target: Not available
Connmark Match: Not available
What is missing??? Should I change iptables too??? If so, is there an easy and secure way of achieving this?
Thanks!!!!