[Firehol-support] Re: firehol vs traceroute

[Eric Sorenson]

Costa Tsaousis <costa at tsaousis.gr> wrote:
> Could you please check that your case is not included in this:
> 
> http://sourceforge.net/tracker/index.php?func=detail&aid=927509&group_id=58425&atid=487692
> 
> I had the same problem myself, and since I fixed the described issue,
> traceroute works perfectly. What bothers me, is that you have a log about
> it - in the problem reported above there was no log. Check it please and
> let me know.

Costa - Thanks for the quick response. The firewall in question is 
in production so I am reluctant to make changes unless I understand
them fully, but hopefully this will be easy to clear up. The comment
in that bug says:

    I have added the global variable:

    FIREHOL_DROP_INVALID=0

    If set to 1, it has the previous behaviour of dropping
    invalid packets. Now (v1.184) is not to drop invalid packets
    globally.

I am using 1.191, and indeed I have FIREHOL_DROP_INVALID=0 set. So
maybe it is the second part you refer to:

    I have also added the protection "invalid". This is enabled
    by default for "protection strong" statements. In this case,
    INVALID packets are dropped only for the interfaces and
    routers the protection is specified.

The interface which the traceroute is going through does not have
any 'protection' statements and there are no pr_${int}_* chain
names, so I don't think there are any '--state INVALID -j DROP'
rules that are getting hit.  

I will try to build a non-production environment that's as close
as possible to the real thing so I can be more aggressive about
testing. Thanks again for your help.
-- 

    Eric Sorenson - EXPLOSIVE Networking - http://explosive.net