[Firehol-support] network inaccessible

Costa Tsaousis costa at tsaousis.gr
Tue Nov 2 20:59:10 CET 2004 

Hi,

protection strong includes a syn-floods and an icmp protection. From the
documentation:

---

syn-floods
Allows only a certain amount of new TCP connections per second. The
optional two arguments [requests/sec] and [burst] are used by this rule in
order to provide control on the number of connections to be allowed. The
default is 100 connections per second that can match 50 (it was 4 in v1.38
and before) packets initially (this is implemented using the limit module
of iptables: see man iptables for more).

Note that this rule applies to all connections attempted regardless of
their final result (rejected, dropped, established, etc). Therefore it
might not be a good idea to set it too low.


icmp-floods
Allows only a certain amount of ICMP echo requests per second. The
optional two arguments [requests/sec] and [burst] are used by this rule in
order to provide control on the number of connections to be allowed. The
default is 100 connections per second that can match 50 (it was 4 in v1.38
and before) packets initially (this is implemented using the limit module
of iptables: see man iptables for more).

---

Therefore, nmap is producing more connections per second that your
protection settings allow.

Ideally, the syn-floods protection should be implemented with iplimit or
connlimit, instead of the 'limit' module, so that just the offending host
will be automatically blocked. However, only 'limit' can be found in stock
kernels. Until any of the other modules makes it in stock kernels, you can
either set the protection to a higher rate or avoid using syn-floods and
incmp-floods protections.

Costa

> Hi All,
> I have a kind of bizzare problem on my hands. I have a private network
> 10.96.0.0/16 which uses the gateway 10.96.1.1 . The machine(A) 10.96.6.1
> has got a seperate internet connection and has a public ip of
> 203.90.xxx.xxx.
>
> I installed firehol on `A' where besides normal firewall rule, I do packet
> forwarding for an internal machine: 10.96.6.201. Afterwards I ran nmap
> scan on the public ip 203.90.xxx.xxx where the packets are routed via
> 10.96.1.1 . The bizzare thing is that while the nmap is going on(and even
> after its finishing for a while) the internal ip(10.96.6.1) or for that
> matter any other machine in the private LAN becomes inaccessible(from all
> the machines, even which are not running nmap). This problem is solved if
> I remove firehol.
>
> For you consideration, my firehol.conf is attached below.
>
> Any pointer as to how, will be highly helpful.
>
> Best Regards,
> praveen

More information about the Firehol-support mailing list