I have installed Bastille as instructed here: http://www.howtoforge.com/bastille_firewall_centos But at the end, it gave an error message, that reads: ERROR: Bastille tried to use $GLOBAL_BIN{'ping6'} but it does not exist. I checked whether I have ping6 (it did) and found the following: -rwxr-xr-x 1 root root 33272 May 3 03:15 /bin/ping -rwsr-xr-x 1 root root 30924 May 3 03:15 /bin/ping6 lrwxrwxrwx 1 root root 10 Aug 17 18:00 /usr/sbin/ping6 -> /bin/ping6 ]# locate ping6 /bin/ping6 /usr/sbin/ping6 I checked all over the internet and could not find a solution. Some links that I tried are: http://answers.yahoo.com/question/index?qid=20061027135436AA9K3iI http://www.linuxquestions.org/questions/showthread.php?t=273817 http://osdir.com/ml/security.bastille.general/2005-06/msg00004.html http://66.102.9.104/search?q=cache:...+exist.&hl=en&ct=clnk&cd=1&client=iceweasel-a Everyone seems to have the same problem but could not locate a solution. Experts here, I am sure, might have encountered similar problem, and have overcome the problem. Please pass any suggestion. Thanks in advance.
Dear Falko: Thanks for your reply. 1) Nowhere in the bastille-firewall.cfg is ping6 referenced! 2) Another problem that I am encountering with centos4.4 with openvz is that after installing the bastille, I could not access the VEs from outside even after I added venet+ as public interfaces in the bastille-firewall.cfg? What other places that I need to tweak to get the VEs can be accessed from the internet? Thanks again!
Solved: The second part The ping6 part is yet unresolved. However, I solved the second part of the problem with this: In the hardware node where I installed Bastille, I created a script at /etc/Bastille/firewall.d/post-rule.d and included the following lines to make port 80 and 22 of the VE to give access. I also added venet+ to the public interfaces in the bastille-firewall.cfg file. The contents of the post-rule.d are: iptables -A FORWARD -p tcp -d 192.168.1.251 --dport 22 --syn -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.1.251 --dport 80 --syn -j ACCEPT iptables -A FORWARD -s 192.168.1.251 -j ACCEPT At the end I made the script executable by 'chmod +x post-rule.d'. I hope it helps to someone who are having similar problem like mine.
Solved: the first part From http://chihungchan.blogspot.com/2008/04/bastille-tried-to-use-globalbinping6.html -------------- Explicitly define the full path of ping6 right after the package definition as shown below. Guess what, bastille runs without any error. I won't say the problem is solved, but at least I provided a workaround. $ cat API.pm ... ... package Bastille::API; $GLOBAL_BIN{'ping6'}="/bin/ping6";