<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
I added the log parameter to all router statements in my firehol config file. If I try to access the device this gets print out in /var/log/syslog a couple of times:<br><br>Feb 1 16:57:14 ds10 kernel: 'COMPA2COMPB:'IN=eth0 OUT=eth0 SRC=192.168.0.4 DST=192.168.1.51 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=58299 DF PROTO=TCP SPT=51215 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0<br><br>But nothing happens -- no ping works neither does accessing B's web interface. Besides the line above, nothing else gets logged. So the firewall seems to work fine, but where's the backward traffic from COMPB to COMPA? Shouldn't it get logged as well by the router statement? I'm more and more certain that all of this is caused by a switch, a bad wire or a loop within the network. I'll do some investigation on that later.<br><br><br>> Date: Wed, 28 Jan 2009 16:53:12 +0000<br>> Subject: Re: [Firehol-support] Routing between virtual interfaces<br>> From: cefrodrigues@gmail.com<br>> To: mofog@hotmail.com<br>> CC: firehol-support@lists.sourceforge.net<br>> <br>> On Wed, Jan 28, 2009 at 4:07 PM, M. O. <mofog@hotmail.com> wrote:<br>> > Still, how could the routing possibly work though the firewall, and<br>> > therefore the routing, has been shut down?<br>> <br>> Routing is completely independent of the firewall.<br>> <br>> When "/proc/sys/net/ipv4/ip_forward" is enabled, routing is enabled.<br>> The firewall (iptables) allows you to control what can pass and what<br>> can't, it does not control routing itself.<br>> <br>> In fact you can do advanced routing configurations without having any<br>> kind of firewall (just "man ip" and see the "route" section), but I<br>> don't think that applies to your case.<br>> <br>> Now, when you enable firehol, it enables the stateful part of iptables<br>> (ip_conntrack). In its most simple aspect, this means when a<br>> connection is established from A to B, this is memorized by the the<br>> firewall so that corresponding traffic from B to A can flow. You can<br>> see the list of memorized connections by catting the<br>> "/proc/net/ip_conntrack" file.<br>> <br>> If there are no problems when the firewall is down, but when it is up<br>> sometimes it works and sometimes it doesn't, then it really looks like<br>> a connection tracking issue. You can add "log" parameters to some<br>> rules in the firehol configuration and then see what gets blocked. If<br>> there's stuff (that should be allowed) being blocked by the firewall,<br>> the logging information should provide some clues as to why.<br>> <br>> Regards,<br>> <br>> -- <br>> Carlos Rodrigues<br><br /><hr />Der neue Messenger 2009 ist da! <a href='http://redirect.gimas.net/?n=M0902WLM2009' target='_new'>Kostenlos downloaden!</a></body>
</html>