| View previous topic :: View next topic |
| Author |
Message |
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
 Posted: Tue Feb 17, 2004 7:31 pm Post subject: firehol errors |
 |
|
I've searched around but can't find a solution to my problem. When I do "firehol start" I get this:
| Code: |
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall:
WARNING: This might or might not affect the operation of your firewall.
WHAT: A runtime command failed to execute (returned error 1).
SOURCE: line INIT of /etc/firehol/firehol.conf
COMMAND: /sbin/modprobe ip_tables
OUTPUT:
FATAL: Error inserting ip_tables (/lib/modules/2.6.0-gentoo/kernel/net/ipv4/netfilter/ip_tables.ko): Device or resource busy
WARNING: This might or might not affect the operation of your firewall
WHAT: A runtime command failed to execute (returned error 1).
SOURCE: line INIT of /etc/firehol/firehol.conf
COMMAND: /sbin/modprobe ip_contrack
OUTPUT:
FATAL: Module ip_conntrack not found
OK
|
I'd really appreciate any suggestions as this seems to be the last step to getting this router/firewall/WAP working. |
|
| Back to top |
|
 |
scout
Veteran
Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E
|
|
| Back to top |
|
|
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
| Posted: Wed Feb 18, 2004 4:36 am Post subject: |
|
|
That's the thing, though. Every other thread said make sure so and so kernel option is compiled as a module, and I've done that for pretty much every one of them. I looked and I have "ip_conntrack" compiled as a module, so I don't really know what's going on...  |
|
| Back to top |
|
|
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
| Posted: Wed Feb 18, 2004 9:50 pm Post subject: |
|
|
Since I need to get this thing up and running now, can anyone suggest alternative firewall/routing software? I tried shorewall, which didn't work. I'm not running X, and the setup is this:
Internet----->eth0----->eth1 to internal network
|
----->ath0 to wireless network
I'm keeping both of these interfaces separate and want to eventually use IPsec for the wireless network. So, any suggestions that are easy to setup? Ideally, a plain IPtables script would be best, but I haven't found one for three interfaces, and at the moment don't have time to learn IPtables. |
|
| Back to top |
|
|
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
| Posted: Thu Feb 19, 2004 4:33 pm Post subject: |
|
|
Ok, maybe an IPtables script is the way to go...
Is anyone here running a similar setup and would be willing to share theirs? Can anyone point me to a resource with premade scripts? |
|
| Back to top |
|
|
scout
Veteran
Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E
|
| Posted: Sun Feb 22, 2004 5:51 pm Post subject: |
|
|
Hey, I just looked at firehol and it's great !! I read the doc entirely and the trick is to put FIREHOL_LOAD_KERNEL_MODULES=0 in the configuration.
Before I used an iptables script, a really good and clean one: the one of gentoo's security doc. But this firehol just makes small configuration files and seems great. I does everything I want and doesn't weight 2 Mb like shorewall.
Using iptables directly is nice cause you can configure everything clearly, but the scripts are too huge if you want something precise and when you have to modify something you have to scroll pages up and down to modofy things everywhere.
_________________
http://petition.eurolinux.org/ - Petition against ePatents
L'essence de la finesse |
|
| Back to top |
|
|
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
| Posted: Sun Feb 22, 2004 6:35 pm Post subject: |
|
|
| By "the configuration", do you mean /etc/firehol/firehol.conf? |
|
| Back to top |
|
|
scout
Veteran
Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E
|
| Posted: Sun Feb 22, 2004 6:42 pm Post subject: |
|
|
yes, but I just saw this only works in the latest version of firehol, so you can just like me put net-firewall/firehol ~x86 at the end of your /etc/portage/package.mask and emerge -u firehol so that you have version 1.159
_________________
http://petition.eurolinux.org/ - Petition against ePatents
L'essence de la finesse |
|
| Back to top |
|
|
subterfuge
n00b
Joined: 15 Aug 2003
Posts: 60
|
| Posted: Sun Feb 22, 2004 9:29 pm Post subject: |
|
|
| Thanks for the help. I emerged the new version and added the config line and the firewall now activates correctly. I'll report back when the whole thing gets tested and say whether or not it works as planned. |
|
| Back to top |
|
|
scout
Veteran
Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E
|
| Posted: Sun Feb 22, 2004 9:56 pm Post subject: |
|
|
| scout wrote: | | you can just like me put net-firewall/firehol ~x86 at the end of your /etc/portage/package.mask |
err ... I meant package.keywords ...
_________________
http://petition.eurolinux.org/ - Petition against ePatents
L'essence de la finesse |
|
| Back to top |
|
|
fideli
n00b
Joined: 11 Feb 2004
Posts: 61
Location: mississauga
|
| Posted: Wed Apr 28, 2004 6:09 am Post subject: different eror |
|
|
hey there,
i'm having a similar error.
/etc/firehol/firehol.conf:
| Code: |
version 5
interface eth0 sis900 src "192.168.2.0/24"
policy reject
server "icmp samba" accept
client all accept
|
but when i run it:
| Code: |
firehol # firehol start
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
head: `-1' option is obsolete; use `-n 1' since this will be removed in the future
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall:iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_icmp_s1 -p icmp -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_icmp_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p tcp --sport 1024:65535 --dport netbios-ssn -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 6 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p tcp --sport netbios-ssn --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_all_c3 -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_all_c3 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_irc_c4 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 16.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_irc_c4 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 17.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 18.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 19.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 20.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 21.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 22.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 8 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 23.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 24.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 25.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 26.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 27.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
FAILED
FireHOL: Restoring old firewall: OK
firehol #
|
anyone know what the problem is?
_________________
-\ fideli /- |
|
| Back to top |
|
|
fideli
n00b
Joined: 11 Feb 2004
Posts: 61
Location: mississauga
|
| Posted: Wed Apr 28, 2004 9:06 pm Post subject: |
|
|
it's as if it's not creating the tables that it wants to use. however, it can't even load the default tables built in, such as FORWARD, OUTPUT, etc. i wonder what it is? does anyone have a clue?
_________________
-\ fideli /- |
|
| Back to top |
|
|
fideli
n00b
Joined: 11 Feb 2004
Posts: 61
Location: mississauga
|
| Posted: Thu Apr 29, 2004 6:15 am Post subject: |
|
|
here's the output of firehol debug:
| Code: |
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
#!/bin/sh
load_kernel_module ip_tables
load_kernel_module ip_conntrack
# Find all tables supported
tables=`/bin/cat /proc/net/ip_tables_names`
for t in ${tables}
do
# Reset/empty this table.
/sbin/iptables -t "${t}" -F >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F
/sbin/iptables -t "${t}" -X >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X
/sbin/iptables -t "${t}" -Z >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z
# Find all default chains in this table.
chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter_chains="${chains}"
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
/sbin/iptables -t "${t}" -P "${c}" ACCEPT >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" ACCEPT
done
done
/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
# Accept everything in/out the loopback device.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -t filter -N in_sis900 # L:3
/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.2.0/24 -j in_sis900 # L:3
/sbin/iptables -t filter -N out_sis900 # L:3
/sbin/iptables -t filter -A OUTPUT -o eth0 -d 192.168.2.0/24 -j out_sis900 # L:3
/sbin/iptables -t filter -N in_sis900_icmp_s1 # L:6
/sbin/iptables -t filter -A in_sis900 -j in_sis900_icmp_s1 # L:6
/sbin/iptables -t filter -N out_sis900_icmp_s1 # L:6
/sbin/iptables -t filter -A out_sis900 -j out_sis900_icmp_s1 # L:6
/sbin/iptables -t filter -A in_sis900_icmp_s1 -p icmp -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_icmp_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -N in_sis900_samba_s2 # L:6
/sbin/iptables -t filter -A in_sis900 -j in_sis900_samba_s2 # L:6
/sbin/iptables -t filter -N out_sis900_samba_s2 # L:6
/sbin/iptables -t filter -A out_sis900 -j out_sis900_samba_s2 # L:6
/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A in_sis900_samba_s2 -p tcp --sport 1024:65535 --dport netbios-ssn -m state --state NEW\,ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -A out_sis900_samba_s2 -p tcp --sport netbios-ssn --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # L:6
/sbin/iptables -t filter -N in_sis900_all_c3 # L:8
/sbin/iptables -t filter -A in_sis900 -j in_sis900_all_c3 # L:8
/sbin/iptables -t filter -N out_sis900_all_c3 # L:8
/sbin/iptables -t filter -A out_sis900 -j out_sis900_all_c3 # L:8
/sbin/iptables -t filter -A out_sis900_all_c3 -m state --state NEW\,ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900_all_c3 -m state --state ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -N in_sis900_irc_c4 # L:8
/sbin/iptables -t filter -A in_sis900 -j in_sis900_irc_c4 # L:8
/sbin/iptables -t filter -N out_sis900_irc_c4 # L:8
/sbin/iptables -t filter -A out_sis900 -j out_sis900_irc_c4 # L:8
/sbin/iptables -t filter -A out_sis900_irc_c4 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900_irc_c4 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -N in_sis900_ftp_c5 # L:8
/sbin/iptables -t filter -A in_sis900 -j in_sis900_ftp_c5 # L:8
/sbin/iptables -t filter -N out_sis900_ftp_c5 # L:8
/sbin/iptables -t filter -A out_sis900 -j out_sis900_ftp_c5 # L:8
/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT # L:8
/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT # L:8
/sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT # L:FIN
/sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT # L:FIN
/sbin/iptables -t filter -A in_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900: # L:FIN
/sbin/iptables -t filter -A in_sis900 -p tcp -j REJECT --reject-with tcp-reset # L:FIN
/sbin/iptables -t filter -A in_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900: # L:FIN
/sbin/iptables -t filter -A in_sis900 -j REJECT # L:FIN
/sbin/iptables -t filter -A out_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900: # L:FIN
/sbin/iptables -t filter -A out_sis900 -p tcp -j REJECT --reject-with tcp-reset # L:FIN
/sbin/iptables -t filter -A out_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900: # L:FIN
/sbin/iptables -t filter -A out_sis900 -j REJECT # L:FIN
/sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT # L:FIN
/sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT # L:FIN
/sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT # L:FIN
/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown: # L:FIN
/sbin/iptables -t filter -A INPUT -j DROP # L:FIN
/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown: # L:FIN
/sbin/iptables -t filter -A OUTPUT -j DROP # L:FIN
/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown: # L:FIN
/sbin/iptables -t filter -A FORWARD -j DROP # L:FIN
# Make it drop everything on table 'filter'.
for c in ${firehol_filter_chains}
do
/sbin/iptables -t filter -P "${c}" DROP >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP
done
load_kernel_module ip_conntrack_irc # L:FIN
load_kernel_module ip_conntrack_ftp # L:FIN
FireHOL: Restoring old firewall: OK
|
it also has all those "head" lines in the beginning like the above code boxes, but i feel it would be redundant to insert them again. i wonder if that's the problem. i'm not quite up to speed on iptables so i'm going through the debug output slowly, but if anyone has any time and tips, it would greatly help me. thanx!
_________________
-\ fideli /- |
|
| Back to top |
|
|
ktsaou
Tux's lil' helper
Joined: 10 Jul 2003
Posts: 80
|
| Posted: Sun May 09, 2004 2:36 pm Post subject: |
|
|
Hi,
Please install the latest firehol ebuild and then download http://firehol.sf.net/firehol.tar.gz
Get firehol.sh from it and put it in /usr/sbin/firehol (i.e. overwrite the one installed by the ebuild - I don't recall if it is installed in /usr/bin or /usr/sbin - check it first).
The one above is the latest CVS, it is stable though.
For some reason the gentoo folks do not update the ebuild frequently.
Costa
PS: I am the author of FireHOL. |
|
| Back to top |
|
|
fideli
n00b
Joined: 11 Feb 2004
Posts: 61
Location: mississauga
|
| Posted: Sun May 09, 2004 9:26 pm Post subject: |
|
|
ok, i did that. i also made my firehol.conf a bit simpler, about as simple as it's gonna get for it to be worth it, i suppose:
/etc/firehol/firehol.conf
| Code: |
version 5
interface eth0 sis900
policy reject
client all accept
|
# firehol start
| Code: |
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
FireHOL: Activating new firewall (45 rules):
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_all_c1 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_irc_c2 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_irc_c2 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 5 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
FAILED
FireHOL: Restoring old firewall: OK
|
# firehol debug
| Code: |
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /etc/firehol/firehol.conf: OK
#!/bin/sh
load_kernel_module ip_tables
load_kernel_module ip_conntrack
# Find all tables supported
tables=`/bin/cat /proc/net/ip_tables_names`
for t in ${tables}
do
# Reset/empty this table.
/sbin/iptables -t "${t}" -F >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F
/sbin/iptables -t "${t}" -X >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X
/sbin/iptables -t "${t}" -Z >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z
# Find all default chains in this table.
chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter_chains="${chains}"
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
/sbin/iptables -t "${t}" -P "${c}" ACCEPT >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" ACCEPT
done
done
/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
# Accept everything in/out the loopback device.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
then
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
fi
# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>> version 5
# === CONFIGURATION STATEMENT =================================================
# CONF: 3>>> interface eth0 sis900
# INFO>>> Creating chain 'in_sis900' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_sis900
/sbin/iptables -t filter -A INPUT -i eth0 -j in_sis900
# INFO>>> Creating chain 'out_sis900' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_sis900
/sbin/iptables -t filter -A OUTPUT -o eth0 -j out_sis900
# === CONFIGURATION STATEMENT =================================================
# CONF: 4>>> policy reject
# INFO>>> Setting interface 'eth0' (sis900) policy to reject
# === CONFIGURATION STATEMENT =================================================
# CONF: 5>>> client all accept
# INFO>>> Preparing for service 'all' of type 'client' under interface 'sis900'
# INFO>>> Creating chain 'in_sis900_all_c1' under 'in_sis900' in table 'filter'
/sbin/iptables -t filter -N in_sis900_all_c1
/sbin/iptables -t filter -A in_sis900 -j in_sis900_all_c1
# INFO>>> Creating chain 'out_sis900_all_c1' under 'out_sis900' in table 'filter'
/sbin/iptables -t filter -N out_sis900_all_c1
/sbin/iptables -t filter -A out_sis900 -j out_sis900_all_c1
# INFO>>> Running complex rules function rules_all() for client 'all'
/sbin/iptables -t filter -A out_sis900_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_sis900_all_c1 -m state --state ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 5>>> client irc accept
# INFO>>> Preparing for service 'irc' of type 'client' under interface 'sis900'
# INFO>>> Creating chain 'in_sis900_irc_c2' under 'in_sis900' in table 'filter'
/sbin/iptables -t filter -N in_sis900_irc_c2
/sbin/iptables -t filter -A in_sis900 -j in_sis900_irc_c2
# INFO>>> Creating chain 'out_sis900_irc_c2' under 'out_sis900' in table 'filter'
/sbin/iptables -t filter -N out_sis900_irc_c2
/sbin/iptables -t filter -A out_sis900 -j out_sis900_irc_c2
# INFO>>> Running simple rules for client 'irc'
/sbin/iptables -t filter -A out_sis900_irc_c2 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_sis900_irc_c2 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 5>>> client ftp accept
# INFO>>> Preparing for service 'ftp' of type 'client' under interface 'sis900'
# INFO>>> Creating chain 'in_sis900_ftp_c3' under 'in_sis900' in table 'filter'
/sbin/iptables -t filter -N in_sis900_ftp_c3
/sbin/iptables -t filter -A in_sis900 -j in_sis900_ftp_c3
# INFO>>> Creating chain 'out_sis900_ftp_c3' under 'out_sis900' in table 'filter'
/sbin/iptables -t filter -N out_sis900_ftp_c3
/sbin/iptables -t filter -A out_sis900 -j out_sis900_ftp_c3
# INFO>>> Running complex rules function rules_ftp() for client 'ftp'
# INFO>>> Setting up rules for initial FTP connection client
/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
# INFO>>> Setting up rules for Active FTP client
/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT
/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
# INFO>>> Setting up rules for Passive FTP client
/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT
/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
# INFO>>> Finilizing interface 'sis900'
/sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A in_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:
/sbin/iptables -t filter -A in_sis900 -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -t filter -A in_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:
/sbin/iptables -t filter -A in_sis900 -j REJECT
/sbin/iptables -t filter -A out_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:
/sbin/iptables -t filter -A out_sis900 -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -t filter -A out_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:
/sbin/iptables -t filter -A out_sis900 -j REJECT
# INFO>>> Finilizing firewall policies
/sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:
/sbin/iptables -t filter -A INPUT -j DROP
/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:
/sbin/iptables -t filter -A OUTPUT -j DROP
/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
/sbin/iptables -t filter -A FORWARD -j DROP
# Make it drop everything on table 'filter'.
for c in ${firehol_filter_chains}
do
/sbin/iptables -t filter -P "${c}" DROP >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP
done
load_kernel_module ip_conntrack_irc
load_kernel_module ip_conntrack_ftp
FireHOL: Restoring old firewall: OK
|
so what have i done wrong and what do you suggest i do?
_________________
-\ fideli /- |
|
| Back to top |
|
|
ktsaou
Tux's lil' helper
Joined: 10 Jul 2003
Posts: 80
|
| Posted: Mon May 10, 2004 9:25 am Post subject: |
|
|
Hi,
please make sure you have compiled iptables against your current kernel. iptables depends on the the internal kernel structures for its operations. If the iptables ebuild you have installed has been compiled with a different kernel version, such errors may occur.
Therefore I suggest to re-emerge iptables.
Also make sure that your kernel has all the iptables features compiled either build-in or as modules.
Costa |
|
| Back to top |
|
|
|
Networking & Security
