TROUBLESHOOTING IPKUNGFU

 First, did you read the README?
 Did you check your configuration files in /etc/ipkungfu/ ?
 Did you re-run ipkungfu after changing a configuration file?
 
 Some common problems people have had are covered here:

 "When I run ipkungfu I get 'ipkungfu: command not found'" - first,
 make sure you have installed ipkungfu by running the installer (just
 type ./install in the unpacked ipkungfu directory.  If you have done
 this, ipkungfu is probably not in your PATH. ipkungfu is installed to 
 /usr/local/sbin.  You can type /usr/local/sbin/ipkungfu instead, or 
 add /usr/local/sbin to your $PATH environment variable:
 	export PATH=$PATH:/usr/local/sbin

 "I get an ERROR: Root check FAILED" - This one is quite simple, you must
 be root to install, configure and run ipkungfu. Log in as root or
 su to root.

 "I ran the installer, but the firewall did not come up" - Installing
 ipkungfu and running ipkungfu are two different things. You should run the
 ipkungfu script located in the /usr/local/sbin directory after editing
 any configuration files you want to customize.

 "I changed a configuration file, but nothing changed" - The likely answer is
 that you did not re-run ipkungfu. ipkungfu builds the rules for
 the firewall based on the configuration files. Once rules are created, the
 contents of the configuration files are irrelevant unless you run ipkungfu
 again.

 "How can I get ipkungfu to start at boot?" - Most Linux distributions make
 it possible to run init scripts.  If so, you have a script called ipkungfu 
 in /etc/init.d or /etc/rc.d/init.d that you can add to your startup 
 configuration.  If your distribution is chkconfig-compatible like Redhat or 
 Mandrake, the ipkungfu install script does this for you.  If this doesn't 
 work for you, add the following line to an existing init script, such as 
 rc.local or ifup-post:
 
 /usr/local/sbin/ipkungfu --init

 "How can I check to see if my firewall is running?" - As root, type:

 	ipkungfu -c 
	or
	ipkungfu --check

 "I'm trying to run a game server, but people can't connect" - First make sure
 you have allowed connections to the correct port(s). Check the configuration
 in /etc/ipkungfu/ipkungfu.conf and re run ipkungfu if changes are made. If it
 is correct, or still does not work, edit /etc/ipkungfu/advanced.conf and set
 LOOSE_UDP_PATCH to 1.

 "I can't play Microsoft games through my firewall" - Don't worry, it's not
 ipkungfu's fault!  Many newer Microsoft applications, including games, use
 Universal Plug N Play technology, and Linux isn't very good at doing the
 right things with that traffic.  But all is not lost!  There is a product
 called linux-igd, a UPnP gateway for linux, available which makes these 
 things possible.  Check out http://sourceforge.net/projects/linux-igd for
 details.  I have reports that this also makes it possible to transfer files
 using MSN Messenger using this product.  Alternatively, it may be possible
 to play the games by forwarding the appropriate ports to the client
 machine by editing /etc/ipkungfu/vhosts.conf.  Several examples are
 provided.

 "I can't send files via dcc in IRC!" - Some file transfer mechanisms, like
 dcc, use random ports.  You must have ip_conntrack and ip_conntrack_irc
 either inserted into the running kernel as modules, or compiled into the
 kernel itself.  The purpose of these modules is to track the dcc connection
 and associate it with your existing irc connection so that it can be allowed
 through your firewall without explicitly allowing it or opening unnecessary
 holes in your firewall.  Most likely you one or both of them compiled as 
 modules but not inserted. To rectify this situation, run these commands:

 	modprobe ip_conntrack_irc
 	echo "ip_conntrack_irc" >> /etc/modules

 If this machine is a gateway for the machine in question, repeat the
 above steps, replacing ip_conntrack_irc with ip_nat_irc.   You may need 
 to reboot for this to take effect.  (I'm sure there's a less drastic way 
 to put this into effect.  If you know what it is, please let me know! 
 grasshopper@linuxkungfu.org)

 "When people connect to my ftp server and try to get a list of files, it just
 kinda sits there" - This is essentially the same issue as the dcc situation
 described above.  You need the ftp conntrack helper module
 (ip_conntrack_ftp).  Refer to the dcc question above for details. As with
 dcc, ftp by default uses random ports, and the kernel's packet filtering
 code needs this helper module to track the connection across these ports
 to allow established ftp connections through them.  The relevant modules
 are ip_conntrack_ftp and ip_nat_ftp.

 "Will IPKungFu work with ipchains?" - Let me put it this way:  No. ipkungfu 
 only works on Linux kernels 2.4 and higher that have iptables support.

 "How can I temporarily turn off the firewall or stop all access?" - Although
 disabling the firewall when you are connected to an external network such as
 the Internet is not recommended, if it is necessary, then you have 2 options.
 Disable the firewall so all access is allowed (not recommended) or shut off
 all access, internal and external (panic mode)

 	For panic mode:
	 ipkungfu --panic

	To just disable:
	 ipkungfu -d
	or
	 ipkungfu --disable

  To turn the firewall back on, simply rerun the ipkungfu script:

  	ipkungfu

 There is no need to turn off the firewall to make a change to a
 configuration file, but the script must be rerun for changes to take effect.

 "Where is the firewall log located?" - Many systems use /var/log/syslog to
 log kernel messages. Since packets are filtered at the kernel level, this is
 where they are most likely located, along with other kernel messages.  All
 ipkungfu log entries contain the string "IPKF", so you can, for example:

 grep IPKF /var/log/syslog

 to see recent firewall logs, unless you have selected ulog as your logging
 facility in log.conf, in which case the location of your log will depend on
 your configuration of the ulogd utility.

 "I'm working remotely, what are the odds that ipkungfu will lock me out?" -
 Well that depends.  If you fail to allow access to sshd, or telnet, or
 whatever you're using, or you block the IP address you're connecting from,
 you're out of luck.  But as of 0.5.1 there is a new command line option,
 --failsafe, that will set default policies on all builtin chains in the
 filter table to ACCEPT, in the event that ipkungfu fails.  This can also
 be accomplished by setting FAILSAFE=1 in ipkungfu.conf.  As an additional
 measure, you may add a custom rule to /etc/ipkungfu/post.conf to, say,
 allow tcp port 22 from the IP address you're working from no matter what
 happens.

 "I've just installed a new kernel, and when I run ipkungfu I get all kinds
 of errors" - In many (most) cases, when you install a new kernel, you must
 also recompile iptables against the source of the new kernel.  Obtain the
 iptables source from netfilter.org or from your distribution vendor and
 recompile.
