Linode Forum

[neorder]

hi, i use RH9 and Directadmin, i install APF firewall but it won't start, i got this:

lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

i'm sure iptables is running, and i'm using a VPS which is made by UML, i supposed it's the kenel problem, so i tried to recompile apache, but i still get same problem in the end.

i've done some research at google but no luck, any idea about this issue?
________
VAPORIZER REVIEW

[inkblot]

neorder wrote: hi, i use RH9 and Directadmin, i install APF firewall but it won't start, i got this:

lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

i'm sure iptables is running, and i'm using a VPS which is made by UML, i supposed it's the kenel problem, so i tried to recompile apache, but i still get same problem in the end.

i've done some research at google but no luck, any idea about this issue?

the linode kernels do not support loadable modules. all available functionality is compiled in.

[neorder]

is that meaning i'm unable to use APF here?
________
VAPORIZER REVIEWS

[Bill Clinton]

inkblot wrote: the linode kernels do not support loadable modules. all available functionality is compiled in.
This raises an interesting issue: custom kernel modules.

What are the security implications of such ?

Bill Clinton

[smerritt]

It sounds to me like APF is trying to determine whether or not it needs to load the iptables module. If there's a way to tell it not to check for iptables, the rest of it should work.

Alternately, you could try moving /sbin/lsmod somewhere else and seeing what it does. You don't need lsmod if the kernel doesn't support modules.

[smerritt]

Quote: This raises an interesting issue: custom kernel modules.

What are the security implications of such ?


Kernel module code runs as part of the kernel. There's no sandboxing or anything; the module code gets loaded into the kernel's address space with the same privileges as the kernel.

Under UML, if I could load a module, I could make my UML process do stuff on the host. At Linode, I think each UML process runs as a different unprivileged user, so there's not much risk of accessing someone's data. However, a malicious user could still do a DoS attack on the host. Something to eat all the memory, thrash the disk, or even just a fork bomb would really slow down all the Linodes on that host.

[keithbucher]

This probably won't help the original posters, but if anyone else runs into this problem, you can fix it with the following config option in /etc/apf/conf.apf:

SET_MONOKERN="1"

This makes APF assume that all the required modules are already present without checking.

[Guspaz]

keithbucher wrote: This probably won't help the original posters, but if anyone else runs into this problem, you can fix it with the following config option in /etc/apf/conf.apf:

SET_MONOKERN="1"

This makes APF assume that all the required modules are already present without checking.

But Linode uses Xen now, which *does* support loading kernel modules, so you shouldn't need to do that. You're replying to a post that's more than half a decade old.

[arjones85]

How did you manage to get a copy of APF? rfxnetworks.com is broken and I can't seem to download anything.

I use APF on one of my older VPS's, but considering they aren't taking care of the dead links on their site, it makes me think twice before using their software.