[Firehol-support] Firehol Status?

Rick Marshall rjm at zenucom.com
Mon Dec 11 18:04:24 CET 2006


I see lots of blocked port 25 as well and i think for the same reason, 
but it doesn't stop my dns working out there in the real world.

In fact it works so well I haven't used any other firewall config tool 
for a long time. We have lots of servers running all sorts of services 
including firewall traversal and my latest success which is to configure 
a multi-homed card instead of using 2 separate cards for a firewall.

You should also note that the external interface to iptables hasn't 
changed much for a long time so there's no big need to change the tools.

Great product - but keep in mind it's not the only tool in the box.

Regards
Rick

Carlos Rodrigues wrote:
> On 12/11/06, firehol firehol <firehol at gmail.com> wrote:
>   
>> When I use a config file like shown below, I found that packets returning from DNS requests were sometimes being blocked, and incoming connections to port 25 were also sometimes blocked. (Even when all rules had  'client all accept' and 'server all accept'.)
>>     
>
> I see quite a few blocked connections to port 25. The reason is always
> "New TCP without SYN", which comes from the protection rules against
> malformed traffic inserted by FireHOL.
>
> I also see a bunch of refused port 53's destined to our servers, which
> I guess could very well be packets which arrive to late to be
> considered part of a previous request.
>
>   
>> Do people use this firewall on real, working mail and DNS servers?  Am I making some sort of mistake in my configs? I would love to get firehol working for my purposes.
>>     
>
> Yes, both on servers and on a firewall machine. I haven't noticed any
> problems in well over a year since this firewall went into production,
> nor have any users complained about any kind of problems.
>
>   




More information about the Firehol-support mailing list