[Firehol-support] SYN ACK issues.

Mon Jul 31 10:25:25 CEST 2006

Hi there List,

First off, thank you for this brilliant application! You really made a 
great effort, bash scripting is powerful man!
Guys, my firewall is working lovely - although I have one problem.

My mail will hit the outside ip of my adsl router then from there will 
be forwarded into my network, I keep on getting this,

Jul 31 10:20:23 localhost kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 
SRC=10.1.30.251 DST=12.205.143.123 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=0 
DF PROTO=TCP SPT=25 DPT=1107 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Jul 31 10:20:28 localhost kernel: 'PASS-unknown:'IN=eth0 OUT=eth1 
SRC=10.1.30.251 DST=196.36.166.122 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 
DF PROTO=TCP SPT=25 DPT=47062 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Jul 31 10:22:27 localhost kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 
SRC=10.1.30.251 DST=203.196.157.114 LEN=48 TOS=0x00 PREC=0x00 TTL=63 
ID=0 DF PROTO=TCP SPT=25 DPT=3565 WINDOW=5840 RES=0x00 ACK SYN URGP=0

10.1.30.251 is the ip of my mailserver. How can I get past this?
Seems to me (complete novice) that the syn comes through but my ack 
doesn't want to go?

I have the following in my firehol.conf

tcpmss auto

#forward http traffic to my webserver on the other side of the wireless 
(eth1)
#nat to-destination 192.168.1.10 proto tcp dport 3128 dst 10.1.30.0/24

# Redirect http traffic to squid
#redirect to 3128 inface eth0 src 10.1.30.0/24 proto tcp dport 80

interface eth0 lan
        server all accept
        client all accept

interface eth1 wireless
        server all accept
        client all accept

router route1 inface eth0 outface eth1 src any dst any
masquerade
route all accept
router route2 inface eth1 outface eth0 src any dst any
masquerade
route all accept
router route3 inface eth0 outface eth0 src any dst any
route all accept
router route4 inface eth0 outface eth0 src 10.1.30.0/24 dst any
route all accept

Thank you very much for the support, and I wish you guys a lovely day!
Winston