You are not logged in.
- Topics: Active | Unanswered
#1 2012-02-13 19:45:23
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
firehol with routing - remote host restricted to google ?!
I could post my conf file if needed, but I just modified lan-gateway.conf and it works, except the browser doesn't seem to load any other page except google, yet I'm also seeding archlinux succesfully. I have no ideea what could be ? I have no servers running on either machine. It's a simple setup. Some default protection in the way ? Any ideas ?
Edit: Clarification: Things work on the host machine, it's the remote host that seems to be restricted to google (+youtube, wikipedia).
Last edited by distrohopperarched (2012-02-24 13:40:53)
Offline
#2 2012-02-24 13:22:08
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
Re: firehol with routing - remote host restricted to google ?!
I've been struggling with this since a month now. After playing around with different settings, I've reduced the .conf file to a minimum, but it's still not working...
What on earth could I do wrong ? Why is it, that except for Google, Youtube and Wikipedia, literally no other pages load on the remote host ? Not even Yahoo. Today I've even changed DNS servers to the google public DNS as I thought it was something dns-cache related. It isn't. I started the remote host from a live cd and it's still the same. I've read through the manual a number of times. I've done everything I could and I'm beginning to think the FireHOL package is buggy.
I'm about to install a different OS, try the same settings and .conf and if it works I'll be back with feedback. I'll probably be bald too.
Is anyone here using the package ?
Last edited by distrohopperarched (2012-02-25 19:14:19)
Offline
#3 2012-02-24 13:58:07
- lucke
- Member
- From: Poland
- Registered: 2004-11-30
- Posts: 4,018
Re: firehol with routing - remote host restricted to google ?!
I was using firehol for some years, but at some point moved to shorewall. I don't exactly remember why - I really liked firehol - but I think I ran into some compatibility problems and firehol didn't look properly maintained. Even now, the latest release is from 2008 and the latest commit from 2010, so maybe it's not keeping up with whatever changes there could be in other components?
Offline
#4 2012-02-24 15:27:46
- SanskritFritz
- Member
- From: Budapest, Hungary
- Registered: 2009-01-08
- Posts: 1,924
- Website
Re: firehol with routing - remote host restricted to google ?!
I'm using Firehol. It is maintained... well, I talked to the devs on the mailing list, and someone said, no development is going on, it is stable. Only serious bugs are dealt with, but no these kinds of bugs popped up in the last years. There was a minor bug when linux 3.0 arrived, but the archlinux package is patched, since upstream doesnt care. So, move to another firewall if that concerns you. Having said that, I have to state that I use firehol without problems for years, it is rock stable.
zʇıɹɟʇıɹʞsuɐs AUR || Cycling in Budapest with a helmet camera || Revised log levels proposal: "FYI" "WTF" and "OMG" (John Barnette)
Offline
#5 2012-02-24 15:53:29
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
Re: firehol with routing - remote host restricted to google ?!
Could NAT mess with the packet's ttl ?
I'm beginning to see a patern in the pages that DO load vs those that don't. I can't search with yahoo, yet I can access ro.news.yahoo.com, so it seems that closer servers are accessible ??? Google is everywhere, so this might be a clue.
Also, pinging a random google server from here shows ttl=49 .... i don't know if it's relevant.
Here's a simple iptables list I tried last time. As I said, a simple setup, in fireHOL that is, cause it's about 200 lines in iptables.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 in_lan all -- eth1 * 192.168.0.0/24 192.168.0.1
3931 1351774 in_ifinternet all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
31 6342 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-unknown:"
31 6342 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2686 465415 in_router1 all -- eth1 ppp0 0.0.0.0/0 0.0.0.0/0
2945 2348181 out_router1 all -- ppp0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
41 1640 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-unknown:"
42 1680 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
10 5760 out_lan all -- * eth1 192.168.0.1 192.168.0.0/24
3538 261890 out_ifinternet all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-unknown:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain in_ifinternet (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/8 0.0.0.0/0
4 1236 RETURN all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 240.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 241.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 242.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 243.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 244.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 245.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 246.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 247.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 248.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 249.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 250.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 251.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 252.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 253.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 254.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 255.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 RETURN all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 RETURN all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 RETURN all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 RETURN all -- * * 192.88.99.0/24 0.0.0.0/0
0 0 RETURN all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 pr_ifinternet_fragments all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 pr_ifinternet_nosyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcpflags:! 0x17/0x02
10 280 pr_ifinternet_icmpflood icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
230 10224 pr_ifinternet_synflood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
0 0 pr_ifinternet_malxmas tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
10 440 pr_ifinternet_malnull tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
0 0 pr_ifinternet_malbad tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
0 0 pr_ifinternet_malbad tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
0 0 pr_ifinternet_malbad tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x37
0 0 pr_ifinternet_malbad tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x29
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3916 1350058 in_ifinternet_all_c1 all -- * * 0.0.0.0/0 0.0.0.0/0
407 32542 in_ifinternet_ftp_c2 all -- * * 0.0.0.0/0 0.0.0.0/0
407 32542 in_ifinternet_irc_c3 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
182 22442 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-ifinternet:"
407 32542 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain in_ifinternet_all_c1 (1 references)
pkts bytes target prot opt in out source destination
3506 1316677 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
Chain in_ifinternet_ftp_c2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:32768:61000 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain in_ifinternet_irc_c3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:32768:61000 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain in_lan (1 references)
pkts bytes target prot opt in out source destination
0 0 in_lan_ICMP_s1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 in_lan_all_c2 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 in_lan_ftp_c3 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 in_lan_irc_c4 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-lan:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain in_lan_ICMP_s1 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 192.168.0.2 0.0.0.0/0 state NEW,ESTABLISHED
Chain in_lan_all_c2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
Chain in_lan_ftp_c3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:32768:61000 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain in_lan_irc_c4 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:32768:61000 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain in_router1 (1 references)
pkts bytes target prot opt in out source destination
2686 465415 in_router1_all_s1 all -- * * 0.0.0.0/0 0.0.0.0/0
40 1600 in_router1_ftp_s2 all -- * * 0.0.0.0/0 0.0.0.0/0
40 1600 in_router1_irc_s3 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
Chain in_router1_all_s1 (1 references)
pkts bytes target prot opt in out source destination
2646 463815 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
Chain in_router1_ftp_s2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain in_router1_irc_s3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:6667 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain out_ifinternet (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 241.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 242.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 243.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 244.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 245.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 246.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 247.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 248.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 249.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 250.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 251.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 252.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 253.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 254.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 255.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 RETURN all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 RETURN all -- * * 0.0.0.0/0 192.88.99.0/24
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
3537 261819 out_ifinternet_all_c1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 out_ifinternet_ftp_c2 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 out_ifinternet_irc_c3 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-ifinternet:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain out_ifinternet_all_c1 (1 references)
pkts bytes target prot opt in out source destination
3536 261748 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
Chain out_ifinternet_ftp_c2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:61000 dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain out_ifinternet_irc_c3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:61000 dpt:6667 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain out_lan (1 references)
pkts bytes target prot opt in out source destination
10 5760 out_lan_ICMP_s1 all -- * * 0.0.0.0/0 0.0.0.0/0
10 5760 out_lan_all_c2 all -- * * 0.0.0.0/0 0.0.0.0/0
10 5760 out_lan_ftp_c3 all -- * * 0.0.0.0/0 0.0.0.0/0
10 5760 out_lan_irc_c4 all -- * * 0.0.0.0/0 0.0.0.0/0
10 5760 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-lan:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain out_lan_ICMP_s1 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.2 state ESTABLISHED
Chain out_lan_all_c2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
Chain out_lan_ftp_c3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:61000 dpt:21 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain out_lan_irc_c4 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:61000 dpt:6667 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain out_router1 (1 references)
pkts bytes target prot opt in out source destination
2945 2348181 out_router1_all_s1 all -- * * 0.0.0.0/0 0.0.0.0/0
16 2592 out_router1_ftp_s2 all -- * * 0.0.0.0/0 0.0.0.0/0
16 2592 out_router1_irc_s3 all -- * * 0.0.0.0/0 0.0.0.0/0
16 2592 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
Chain out_router1_all_s1 (1 references)
pkts bytes target prot opt in out source destination
2929 2345589 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
Chain out_router1_ftp_s2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "ftp"
Chain out_router1_irc_s3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED helper match "irc"
Chain pr_ifinternet_fragments (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PACKET FRAGMENTS:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_icmpflood (1 references)
pkts bytes target prot opt in out source destination
10 280 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "ICMP FLOOD:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_malbad (4 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED BAD:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_malnull (1 references)
pkts bytes target prot opt in out source destination
9 396 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED NULL:"
10 440 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_malxmas (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED XMAS:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_nosyn (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "NEW TCP w/o SYN:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pr_ifinternet_synflood (1 references)
pkts bytes target prot opt in out source destination
230 10224 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "SYN FLOOD:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Last edited by distrohopperarched (2012-02-24 15:54:56)
Offline
#6 2012-02-25 12:18:03
- philw
- Member
- Registered: 2012-02-25
- Posts: 2
Re: firehol with routing - remote host restricted to google ?!
I find it hard to believe that a bug in firehol would cause the problems you are describing because all it does is translate the rules you give it into iptables rules. A rule for e.g. HTTP shows no difference from one host to another unless you explicitly configure it.
Is DNS working OK? You may need to start with the basics and work your way up.
Also, are you on dual-stack IPv4/IPv6? That's one place I can think of where different hosts may show radically different behaviours. Plain firehol does not have support for IPv6 but I have created a set of patches which enable it. Contact me if you need them.
To start diagnosing I would check log files in the /var/log/ directory for entries that look like this:
PASS-unknown:IN=ppp0 OUT=br-lan SRC=121.6.48.159 DST=81.187.93.70 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54546 DF PROTO=TCP SPT=49998 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0
Any that appear are packets that have been dropped by the firewall. If you find packets being dropped that are part of the connection you try to establish (maybe just telnet to port 80 on the destination IP address to elimiate all other variables) it should be possible to work out which iptables rule and hence which firehol rule is responsible.
If nothing looks wrong there, the next thing to try would be get a tcpdump or wireshark trace of the connections. I would suggest running the capture on the gateway and capturing two traces; one to a a working host and one to a failing one to compare what happens. Try running the trace on the internal interface of the gateway so you can see if the outgoing SYN packet (establishing a connection) has a matching incoming SYN in both cases.
Offline
#7 2012-02-25 21:23:21
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
Re: firehol with routing - remote host restricted to google ?!
If the rules above aren't responsible for the symptoms, it's not fireHOL's fault. Period.
Thanks for the support and instructions, but I'll have to do some homework before I can deal with them.
The DNS is ok, as I said I tried 8.8.8.8 and had the same results. No ipv6 issues either.
Before I switched to arch I wasn't using firehol, thus I guess it's not hardware either, and as I said, I'll try another distro ( I failed with Semplice as the network manager is buggy and I can't connect at all to the internet, so I'll have to start over), perhaps this bleeding edge kernel has some bugs ?...
edit: Now I know I'm on the right forum and using the right distro.
Last edited by distrohopperarched (2012-02-25 23:10:07)
Offline
#8 2012-02-27 09:35:31
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
Re: firehol with routing - remote host restricted to google ?!
Update.
I tried the same firehol .conf on a different distro and I ended up with the same results.
Then I installed another firewall (firestarter) and got it working. So there IS something fireHOL related. There's something wrong with the rules generated.
Offline
#9 2012-02-27 09:39:07
- distrohopperarched
- Member
- Registered: 2012-02-06
- Posts: 45
Re: firehol with routing - remote host restricted to google ?!
I've been comparing iptables-save-ed lists and I really don't know where to look (yet), but I guess it's better to look there and at an iptables tutorial, than in /var/log.
Some obvious differences with the two tables are:
there's an extra table on top, there's a different order of the tables, and within the *nat section, there's again a different order of rules.
Edit: from what I can tell, I'd guess it's something in the filter table after all...
Last edited by distrohopperarched (2012-02-27 14:25:05)
Offline