[Firehol-support] No connectivity off firewall host ??

Trent Goulden trent at plenty.co.za
Thu Jul 29 16:18:06 BST 2004 

Everything else works great, and fireHOL is fantastic

The problem i am experiencing is when firehol is enabled (started) i cannot
connect off the HOST machine.

This is my problem

------ SNIP -----

[root at spawn root]# ping http://www.sourceforge.net
PING sourceforge.net (66.35.250.203) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- sourceforge.net ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7016ms

------ SNIP -----

and the logs

------ LOG SNIP -------

Jul 29 02:29:12 spawn kernel: OUT-unknown:IN= OUT=eth0 SRC=*.*.*.200
DST=66.35.250.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=60510 SEQ=1
Jul 29 02:29:13 spawn kernel: OUT-unknown:IN= OUT=eth0 SRC=*.*.*.200
DST=66.35.250.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=60510 SEQ=2
Jul 29 02:29:14 spawn kernel: OUT-unknown:IN= OUT=eth0 SRC=*.*.*.200
DST=66.35.250.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=60510 SEQ=3

------ LOG SNIP -------


All internal eth1 clients have full access, and everything NATS correctly
with External IP mapping.

Just this little issue off the HOST machine.

Conf follows...

thanks in advance

- Trent






version 5
#
# Custom service definitions
#
server_lotusSpam_ports="udp/1440"
client_lotusSpam_ports="1440"

server_rockwell_ports="udp/2222"
client_rockwell_ports="any"

##################################

# OI internal

##################################

INT_IF="eth1"
INT_IP="192.168.0.1"
INT_NET="192.168.0.0/24"
INT_BROADCAST="192.168.0.255"
INT_SPAWN_SERV="all"

SMOKE="192.168.0.129"
DARSH="192.168.0.151"
VIKING="192.168.0.160"
MARK="192.168.0.161"
NICK="192.168.0.162"
STOMPED="192.168.0.163"

##################################

# OI external

##################################

EXT_IF="eth0"
EXT_IP="*.*.*.200"
EXT_NET="*.*.*.0/23"
EXT_BROADCAST="*.*.*.255"
EXT_SPAWN_SERV="ssh icmp"
EXT_SMOKE="*.*.*.129"
EXT_DARSH="*.*.*.*"
EXT_VIKING="*.*.*.160"
EXT_MARK="*.*.*.161"
EXT_NICK="*.*.*.162"
EXT_STOMPED="*.*.*.163"


#################################
# SNAT #
#################################

# SMOKE DNAT & SNAT
#################################
snat to "${EXT_SMOKE}" outface "${EXT_IF}" src "${SMOKE}"
dnat to "${SMOKE}" inface "${EXT_IF}" src not "${INT_NET} ${UNROUTABLE_IPS}"
dst "${EXT_SMOKE}"

# DARSH DNAT & SNAT
#################################
snat to "${EXT_DARSH}" outface "${EXT_IF}" src "${DARSH}"
dnat to "${DARSH}" inface "${EXT_IF}" src not "${INT_NET} ${UNROUTABLE_IPS}"
dst "${EXT_DARSH}"

# VIKING DNAT & SNAT
#################################
snat to "${EXT_VIKING}" outface "${EXT_IF}" src "${VIKING}"
dnat to "${VIKING}" inface "${EXT_IF}" src not "${INT_NET}
${UNROUTABLE_IPS}" dst "${EXT_VIKING}"

# MARK DNAT & SNAT
#################################
snat to "${EXT_MARK}" outface "${EXT_IF}" src "${MARK}"
dnat to "${MARK}" inface "${EXT_IF}" src not "${INT_NET} ${UNROUTABLE_IPS}"
dst "${EXT_MARK}"

# NICK DNAT & SNAT
#################################
snat to "${EXT_NICK}" outface "${EXT_IF}" src "${NICK}"
dnat to "${NICK}" inface "${EXT_IF}" src not "${INT_NET} ${UNROUTABLE_IPS}"
dst "${EXT_NICK}"

# STOMPED DNAT & SNAT
#################################
snat to "${EXT_STOMPED}" outface "${EXT_IF}" src "${STOMPED}"
dnat to "${STOMPED}" inface "${EXT_IF}" src not "${INT_NET}
${UNROUTABLE_IPS}" dst "${EXT_STOMPED}"


# Catchall undefined NAT ???
#################################
snat to "${EXT_IP}" outface "${EXT_IF}" src "${INT_NET}"


#################################
# #
# INTERFACE DEFINITIONS #
# #
# #######################
# INTERNAL IF no protection #
# #
#######################################################

interface "${EXT_IF}" lotusSpamNuke
policy return
server lotusSpam drop dst 255.255.255.255
server rockwell drop dst 255.255.255.255

interface "${INT_IF}" spawnINT src "${INT_NET}" dst "${INT_IP}"
policy reject
server all accept
client all accept

#######################################################
# EXTERNAL IF (multiple ip`s) protected #
#######################################################

# spawn
interface "${EXT_IF}" spawnEXT src "${EXT_NET}" dst "${EXT_IP}"
protection strong
server "ssh" accept
client all accept
policy drop


# smoke
interface "${EXT_IF}" smokeEXT src "${EXT_NET}" dst "${EXT_SMOKE}"
protection strong
client all accept
policy drop


# darsh
interface "${EXT_IF}" darshEXT src "${EXT_NET}" dst "${EXT_DARSH}"
protection strong
client all accept
policy drop



# viking
interface "${EXT_IF}" vikingEXT src "${EXT_NET}" dst "${EXT_VIKING}"
protection strong
client all accept
policy drop


# mark
interface "${EXT_IF}" markEXT src "${EXT_NET}" dst "${EXT_MARK}"
protection strong
client all accept
policy drop


# nick
interface "${EXT_IF}" nickEXT src "${EXT_NET}" dst "${EXT_NICK}"
protection strong
client all accept
policy drop


# stomped
interface "${EXT_IF}" stompedEXT src "${EXT_NET}" dst "${EXT_STOMPED}"
protection strong
client all accept
policy drop


####################################################
# ROUTING SECTION #
####################################################

# Internet 2 LAN
router internet2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_IP}" 
client icmp accept
route all accept

# LAN 2 Internet
router lan2internet inface "${INT_IF}" outface "${EXT_IF}" src "${INT_IP}"
client all accept
route all accept


####################################################
# CLIENT ROUTING IN & OUT #
####################################################

# SMOKE
# SMOKE 2 Lan
router smoke2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_SMOKE}"
client all accept
route all accept

# SMOKE 2 Internet 
router smoke2internet inface "${INT_IF}" outface "${EXT_IF}" src "${SMOKE}"
client all accept
route all accept


# DARSH
# DARSH 2 Lan
router darsh2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_DARSH}"
client all accept
route all accept

# DARSH 2 Internet
router darsh2internet inface "${INT_IF}" outface "${EXT_IF}" src "${DARSH}"
client all accept
route all accept


# VIKING
# VIKING 2 Lan
router viking2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_VIKING}"
client all accept
route all accept

# VIKING 2 Internet
router viking2internet inface "${INT_IF}" outface "${EXT_IF}" src
"${VIKING}"
client all accept
route all accept


# MARK
# MARK 2 Lan
router mark2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_MARK}"
client all accept
route all accept

# MARK 2 Internet
router mark2internet inface "${INT_IF}" outface "${EXT_IF}" src "${MARK}"
client all accept
route all accept


# NICK
# NICK 2 Lan
router nick2lan inface "${EXT_IF}" outface "${INT_IF}" dst "${EXT_NICK}"
client all accept
route all accept

# NICK 2 Internet
router nick2internet inface "${INT_IF}" outface "${EXT_IF}" src "${NICK}"
client all accept
route all accept


# STOMPED
# STOMPED 2 Lan
router stomped2lan inface "${EXT_IF}" outface "${INT_IF}" dst
"${EXT_STOMPED}"
client all accept
route all accept

# STOMPED 2 Internet
router stomped2internet inface "${INT_IF}" outface "${EXT_IF}" src
"${STOMPED}"
client all accept
route all accept

More information about the Firehol-support mailing list