=============================================================================== $Id: FAQ 151 2006-09-11 21:50:40Z trappist $ =============================================================================== TROUBLESHOOTING IPKUNGFU First, did you read the README? Did you check your configuration files in /etc/ipkungfu/ ? Did you re-run ipkungfu after changing a configuration file? Some common problems people have had are covered here: "When I run ipkungfu I get 'ipkungfu: command not found'" - first, make sure you have installed ipkungfu by running the installer (just type ./install in the unpacked ipkungfu directory. If you have done this, ipkungfu is probably not in your PATH. ipkungfu is installed to /usr/local/sbin. You can type /usr/local/sbin/ipkungfu instead, or add /usr/local/sbin to your $PATH environment variable: export PATH=$PATH:/usr/local/sbin "I get an ERROR: Root check FAILED" - This one is quite simple, you must be root to install, configure and run ipkungfu. Log in as root or su to root. "I ran the installer, but the firewall did not come up" - Installing ipkungfu and running ipkungfu are two different things. You should run the ipkungfu script located in the /usr/local/sbin directory after editing any configuration files you want to customize. "I changed a configuration file, but nothing changed" - The likely answer is that you did not re-run ipkungfu. ipkungfu builds the rules for the firewall based on the configuration files. Once rules are created, the contents of the configuration files are irrelevant unless you run ipkungfu again. "How can I get ipkungfu to start at boot?" - Most Linux distributions make it possible to run init scripts. If so, you have a script called ipkungfu in /etc/init.d or /etc/rc.d/init.d that you can add to your startup configuration. If your distribution is chkconfig-compatible like Redhat or Mandrake, the ipkungfu install script does this for you. If this doesn't work for you, add the following line to an existing init script, such as rc.local or ifup-post: /usr/local/sbin/ipkungfu --init "How can I check to see if my firewall is running?" - As root, type: ipkungfu -c or ipkungfu --check "I'm trying to run a game server, but people can't connect" - First make sure you have allowed connections to the correct port(s). Check the configuration in /etc/ipkungfu/ipkungfu.conf and re run ipkungfu if changes are made. If it is correct, or still does not work, edit /etc/ipkungfu/advanced.conf and set LOOSE_UDP_PATCH to 1. "I can't play Microsoft games through my firewall" - Don't worry, it's not ipkungfu's fault! Many newer Microsoft applications, including games, use Universal Plug N Play technology, and Linux isn't very good at doing the right things with that traffic. But all is not lost! There is a product called linux-igd, a UPnP gateway for linux, available which makes these things possible. Check out http://sourceforge.net/projects/linux-igd for details. I have reports that this also makes it possible to transfer files using MSN Messenger using this product. Alternatively, it may be possible to play the games by forwarding the appropriate ports to the client machine by editing /etc/ipkungfu/vhosts.conf. Several examples are provided. "I can't send files via dcc in IRC!" - Some file transfer mechanisms, like dcc, use random ports. You must have ip_conntrack and ip_conntrack_irc either inserted into the running kernel as modules, or compiled into the kernel itself. The purpose of these modules is to track the dcc connection and associate it with your existing irc connection so that it can be allowed through your firewall without explicitly allowing it or opening unnecessary holes in your firewall. "When people connect to my ftp server and try to get a list of files, it just kinda sits there" - This is essentially the same issue as the dcc situation described above. You need the ftp conntrack helper module (ip_conntrack_ftp). Refer to the dcc question above for details. As with dcc, ftp by default uses random ports, and the kernel's packet filtering code needs this helper module to track the connection across these ports to allow established ftp connections through them. The relevant modules are ip_conntrack_ftp and ip_nat_ftp. "I run an fxp server, and people can connect but they can't transfer files" - the ftp conntrack and nat modules (described above) contain fxp functionality that's disabled by default - do: modprobe ip_conntrack_ftp fxp=1 Substitute ip_nat_ftp as appropriate if the ipkungfu box is not the same machine as the fxp server. "I can't connect to my Windows VPN server, or the connection gets dropped." - This, too, is likely a connection tracking issue. The last time I checked, the pptp conntrack module wasn't in the stock kernel, and this may be what you need. If you don't have it, get the latest patch-o- matic from http://netfilter.org. I don't know why, but the module doesn't work for me unless I compile it as a module, rather than into the kernel ("m" as opposed to "y"). Don't forget to rebuild iptables after patching. Then, modprobe ip_conntrack_pptp (and ip_nat_pptp if applicable). "Will ipkungfu work with ipchains?" - Let me put it this way: No. ipkungfu only works on Linux kernels 2.4 and higher that have iptables support. "How can I temporarily turn off the firewall or stop all access?" - Although disabling the firewall when you are connected to an external network such as the Internet is not recommended, if it is necessary, then you have 2 options. Disable the firewall so all access is allowed (not recommended) or shut off all access, internal and external (panic mode) For panic mode: ipkungfu --panic To just disable: ipkungfu -d or ipkungfu --disable To turn the firewall back on, simply rerun the ipkungfu script: ipkungfu There is no need to turn off the firewall to make a change to a configuration file, but the script must be rerun for changes to take effect. "Where is the firewall log located?" - Many systems use /var/log/syslog to log kernel messages. Since packets are filtered at the kernel level, this is where they are most likely located, along with other kernel messages. All ipkungfu log entries contain the string "IPKF", so you can, for example: grep IPKF /var/log/syslog to see recent firewall logs, unless you have selected ulog as your logging facility in log.conf, in which case the location of your log will depend on your configuration of the ulogd utility. "I'm working remotely; what are the odds that ipkungfu will lock me out?" - Well that depends. If you fail to allow access to sshd, or telnet, or whatever you're using, or you block the IP address you're connecting from, you're out of luck. But as of 0.5.1 there is a new command line option, --failsafe, that will set default policies on all builtin chains in the filter table to ACCEPT, in the event that ipkungfu fails. This can also be accomplished by setting FAILSAFE=1 in ipkungfu.conf. As an additional measure, you may add a custom rule to /etc/ipkungfu/post.conf to, say, allow tcp port 22 from the IP address you're working from no matter what happens. "I've just installed a new kernel, and when I run ipkungfu I get all kinds of errors" - In many (most) cases, when you install a new kernel, you must also recompile iptables against the source of the new kernel. Obtain the iptables source from netfilter.org or from your distribution vendor and recompile. "I'm getting firewall on my console, and it's really screwing me up. How can I stop this?" - as root, try this: sysctl kernel.printk="4 4 1 7"