You are not logged in.

#1 2012-02-13 19:45:23

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

firehol with routing - remote host restricted to google ?!

I could post my conf file if needed, but I just modified lan-gateway.conf and it works, except the browser doesn't seem to load any other page except google, yet I'm also seeding archlinux succesfully. I have no ideea what could be ? I have no servers running on either machine. It's a simple setup. Some default protection in the way ? Any ideas ?

Edit: Clarification: Things work on the host machine, it's the remote host that seems to be restricted to google (+youtube, wikipedia).

Last edited by distrohopperarched (2012-02-24 13:40:53)

Offline

#2 2012-02-24 13:22:08

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

Re: firehol with routing - remote host restricted to google ?!

I've been struggling with this since a month now. After playing around with different settings, I've reduced the .conf file to a minimum, but it's still not working...

What on earth could I do wrong ? Why is it, that except for Google, Youtube and Wikipedia, literally no other pages load on the remote host ? Not even Yahoo. Today I've even changed DNS servers to the google public DNS as I thought it was something dns-cache related. It isn't. I started the remote host from a live cd and it's still the same. I've read through the manual a number of times. I've done everything I could and I'm beginning to think the FireHOL package is buggy.

I'm about to install a different OS, try the same settings and .conf and if it works I'll be back with feedback. I'll probably be bald too.

Is anyone here using the package ?

Last edited by distrohopperarched (2012-02-25 19:14:19)

Offline

#3 2012-02-24 13:58:07

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: firehol with routing - remote host restricted to google ?!

I was using firehol for some years, but at some point moved to shorewall. I don't exactly remember why - I really liked firehol - but I think I ran into some compatibility problems and firehol didn't look properly maintained. Even now, the latest release is from 2008 and the latest commit from 2010, so maybe it's not keeping up with whatever changes there could be in other components?

Offline

#4 2012-02-24 15:27:46

SanskritFritz
Member
From: Budapest, Hungary
Registered: 2009-01-08
Posts: 1,924
Website

Re: firehol with routing - remote host restricted to google ?!

I'm using Firehol. It is maintained... well, I talked to the devs on the mailing list, and someone said, no development is going on, it is stable. Only serious bugs are dealt with, but no these kinds of bugs popped up in the last years. There was a minor bug when linux 3.0 arrived, but the archlinux package is patched, since upstream doesnt care. So, move to another firewall if that concerns you. Having said that, I have to state that I use firehol without problems for years, it is rock stable.


zʇıɹɟʇıɹʞsuɐs AUR || Cycling in Budapest with a helmet camera || Revised log levels proposal: "FYI" "WTF" and "OMG" (John Barnette)

Offline

#5 2012-02-24 15:53:29

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

Re: firehol with routing - remote host restricted to google ?!

Could NAT mess with the packet's ttl ?
I'm beginning to see a patern in the pages that DO load vs those that don't. I can't search with yahoo, yet I can access ro.news.yahoo.com, so it seems that closer servers are accessible ??? Google is everywhere, so this might be a clue.

Also, pinging a random google server from here shows ttl=49 .... i don't know if it's relevant.

Here's a simple iptables list I tried last time. As I said, a simple setup, in fireHOL that is, cause it's about 200 lines in iptables.

Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan     all  --  eth1   *       192.168.0.0/24       192.168.0.1         
    3931  1351774 in_ifinternet  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
      31     6342 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-unknown:"
      31     6342 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    2686   465415 in_router1  all  --  eth1   ppp0    0.0.0.0/0            0.0.0.0/0           
    2945  2348181 out_router1  all  --  ppp0   eth1    0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
      41     1640 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-unknown:"
      42     1680 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
      10     5760 out_lan    all  --  *      eth1    192.168.0.1          192.168.0.0/24      
    3538   261890 out_ifinternet  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-unknown:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain in_ifinternet (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/8            0.0.0.0/0           
       4     1236 RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
       0        0 RETURN     all  --  *      *       127.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       240.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       241.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       242.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       243.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       244.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       245.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       246.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       247.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       248.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       249.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       250.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       251.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       252.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       253.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       254.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       255.0.0.0/8          0.0.0.0/0           
       0        0 RETURN     all  --  *      *       10.0.0.0/8           0.0.0.0/0           
       0        0 RETURN     all  --  *      *       169.254.0.0/16       0.0.0.0/0           
       0        0 RETURN     all  --  *      *       172.16.0.0/12        0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.0.2.0/24         0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.88.99.0/24       0.0.0.0/0           
       0        0 RETURN     all  --  *      *       192.168.0.0/16       0.0.0.0/0           
       0        0 pr_ifinternet_fragments  all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 pr_ifinternet_nosyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcpflags:! 0x17/0x02
      10      280 pr_ifinternet_icmpflood  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
     230    10224 pr_ifinternet_synflood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
       0        0 pr_ifinternet_malxmas  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x3F
      10      440 pr_ifinternet_malnull  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x00
       0        0 pr_ifinternet_malbad  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x03/0x03
       0        0 pr_ifinternet_malbad  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x06
       0        0 pr_ifinternet_malbad  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x37
       0        0 pr_ifinternet_malbad  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x29
       1       40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    3916  1350058 in_ifinternet_all_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     407    32542 in_ifinternet_ftp_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     407    32542 in_ifinternet_irc_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
     182    22442 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-ifinternet:"
     407    32542 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain in_ifinternet_all_c1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    3506  1316677 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Chain in_ifinternet_ftp_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:32768:61000 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain in_ifinternet_irc_c3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:6667 dpts:32768:61000 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain in_lan (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 in_lan_ICMP_s1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_all_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_ftp_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 in_lan_irc_c4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-lan:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain in_lan_ICMP_s1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     icmp --  *      *       192.168.0.2          0.0.0.0/0            state NEW,ESTABLISHED

Chain in_lan_all_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Chain in_lan_ftp_c3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:32768:61000 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain in_lan_irc_c4 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:6667 dpts:32768:61000 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain in_router1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    2686   465415 in_router1_all_s1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      40     1600 in_router1_ftp_s2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      40     1600 in_router1_irc_s3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED

Chain in_router1_all_s1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    2646   463815 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED

Chain in_router1_ftp_s2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain in_router1_irc_s3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:6667 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain out_ifinternet (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/8           
       0        0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8          
       0        0 RETURN     all  --  *      *       0.0.0.0/0            127.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            240.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            241.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            242.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            243.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            244.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            245.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            246.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            247.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            248.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            249.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            250.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            251.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            252.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            253.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            254.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            255.0.0.0/8         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8          
       0        0 RETURN     all  --  *      *       0.0.0.0/0            169.254.0.0/16      
       0        0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12       
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.0.2.0/24        
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.88.99.0/24      
       0        0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16      
    3537   261819 out_ifinternet_all_c1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_ifinternet_ftp_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 out_ifinternet_irc_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-ifinternet:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain out_ifinternet_all_c1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    3536   261748 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED

Chain out_ifinternet_ftp_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:32768:61000 dpt:21 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain out_ifinternet_irc_c3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:32768:61000 dpt:6667 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain out_lan (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      10     5760 out_lan_ICMP_s1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      10     5760 out_lan_all_c2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      10     5760 out_lan_ftp_c3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      10     5760 out_lan_irc_c4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      10     5760 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-lan:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain out_lan_ICMP_s1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.2          state ESTABLISHED

Chain out_lan_all_c2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED

Chain out_lan_ftp_c3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:32768:61000 dpt:21 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain out_lan_irc_c4 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:32768:61000 dpt:6667 state NEW,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain out_router1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    2945  2348181 out_router1_all_s1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      16     2592 out_router1_ftp_s2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      16     2592 out_router1_irc_s3  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      16     2592 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED

Chain out_router1_all_s1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    2929  2345589 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Chain out_router1_ftp_s2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "ftp"

Chain out_router1_irc_s3 (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:6667 dpts:1024:65535 state ESTABLISHED
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED helper match "irc"

Chain pr_ifinternet_fragments (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PACKET FRAGMENTS:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_icmpflood (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      10      280 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 50
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "ICMP FLOOD:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_malbad (4 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED BAD:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_malnull (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       9      396 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED NULL:"
      10      440 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_malxmas (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED XMAS:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_nosyn (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "NEW TCP w/o SYN:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain pr_ifinternet_synflood (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
     230    10224 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 50
       0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "SYN FLOOD:"
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Last edited by distrohopperarched (2012-02-24 15:54:56)

Offline

#6 2012-02-25 12:18:03

philw
Member
Registered: 2012-02-25
Posts: 2

Re: firehol with routing - remote host restricted to google ?!

I find it hard to believe that a bug in firehol would cause the problems you are describing because all it does is translate the rules you give it into iptables rules. A rule for e.g. HTTP shows no difference from one host to another unless you explicitly configure it.

Is DNS working OK? You may need to start with the basics and work your way up.

Also, are you on dual-stack IPv4/IPv6? That's one place I can think of where different hosts may show radically different behaviours. Plain firehol does not have support for IPv6 but I have created a set of patches which enable it. Contact me if you need them.

To start diagnosing I would check log files in the /var/log/ directory for entries that look like this:

PASS-unknown:IN=ppp0 OUT=br-lan SRC=121.6.48.159 DST=81.187.93.70 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54546 DF PROTO=TCP SPT=49998 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0

Any that appear are packets that have been dropped by the firewall. If you find packets being dropped that are part of the connection you try to establish (maybe just telnet to port 80 on the destination IP address to elimiate all other variables) it should be possible to work out which iptables rule and hence which firehol rule is responsible.

If nothing looks wrong there, the next thing to try would be get a tcpdump or wireshark trace of the connections. I would suggest running the capture on the gateway and capturing two traces; one to a a working host and one to a failing one to compare what happens. Try running the trace on the internal interface of the gateway so you can see if the outgoing SYN packet (establishing a connection) has a matching incoming SYN in both cases.

Offline

#7 2012-02-25 21:23:21

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

Re: firehol with routing - remote host restricted to google ?!

If the rules above aren't responsible for the symptoms, it's not fireHOL's fault. Period.

Thanks for the support and instructions, but I'll have to do some homework before I can deal with them.

The DNS is ok, as I said I tried 8.8.8.8 and had the same results. No ipv6 issues either.
Before I switched to arch I wasn't using firehol, thus I guess it's not hardware either, and as I said, I'll try another distro ( I failed with Semplice as the network manager is buggy and I can't connect at all to the internet, so I'll have to start over), perhaps this bleeding edge kernel has some bugs ?...

edit: Now I know I'm on the right forum and using the right distro.

Last edited by distrohopperarched (2012-02-25 23:10:07)

Offline

#8 2012-02-27 09:35:31

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

Re: firehol with routing - remote host restricted to google ?!

Update.
I tried the same firehol .conf on a different distro and I ended up with the same results.
Then I installed another firewall (firestarter) and got it working. So there IS something fireHOL related. There's something wrong with the rules generated.

Offline

#9 2012-02-27 09:39:07

distrohopperarched
Member
Registered: 2012-02-06
Posts: 45

Re: firehol with routing - remote host restricted to google ?!

I've been comparing iptables-save-ed lists and I really don't know where to look (yet), but I guess it's better to look there and at an iptables tutorial, than in /var/log.
Some obvious differences with the two tables are:
there's an extra table on top, there's a different order of the tables, and within the *nat section, there's again a different order of rules.

Edit: from what I can tell, I'd guess it's something in the filter table after all...

Last edited by distrohopperarched (2012-02-27 14:25:05)

Offline

Board footer

Powered by FluxBB