[Firehol-support] Why are packets wrongly being dropped?

Jimisola Laursen lists at jimisola.com
Sat Jun 3 19:51:20 BST 2006 

Hi!

All of a sudden I have major problems with my firewall. I can no longer send
mail. Trying to telnet to my ISPs smtp server (not on my net) from my client
machine
fails due to timeout. If I do the same from my server/firewall it works without
any problems.
I have the same problem with IMAP using SSL (143). Haven't been able to figure
out if the problem is due to:

1. the ISP
2. my firewall
3. my Windws client

I don't see any log messages in my logs for the above.


But, more importantly I also just realized that my firewall drops outgoing
bittorrent traffic that it shouldn't drop.
The router in quesion uses reversed masquerade and has some DNAT port forwards.

What is causing the problems?

Regards,
Jimisola

firewall log entries (for what I assume is bittorrent traffic):

Jun  3 17:40:59 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=69.35.192.165 LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=41268 DF PR
OTO=TCP SPT=46890 DPT=5115 WINDOW=65535 RES=0x00 ACK SYN URGP=0
Jun  3 17:41:03 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=125.212.125.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=41697 DF
PROTO=TCP SPT=4549 DPT=31749 WINDOW=65535 RES=0x00 SYN URGP=0
Jun  3 17:41:05 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=69.35.192.165 LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=41735 DF PR
OTO=TCP SPT=46890 DPT=5115 WINDOW=65535 RES=0x00 ACK SYN URGP=0
Jun  3 17:43:26 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=89.132.12.106 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=44603 PROTO
=UDP SPT=46890 DPT=18718 LEN=50
Jun  3 17:43:28 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=74.134.139.152 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=44648 PROT
O=UDP SPT=46890 DPT=5006 LEN=50
Jun  3 17:43:28 fermat kernel: PASS-unknown:IN=eth3 OUT=eth0 SRC=10.0.1.10
DST=124.100.242.234 LEN=65 TOS=0x00 PREC=0x00 TTL=127 ID=44657 PRO
TO=UDP SPT=46890 DPT=6881 LEN=45


This is:

version 5

# Internet
INET_IF="eth0"

# The network of our client lan (1000mbit)
LAN_IPS="10.0.1.0/24"
LAN_IF="eth3"

# add blacklist support
# TODO

# Avoid logging to console
FIREHOL_LOG_LEVEL="4"

# Set logging a little more restrictive than defaults
FIREHOL_LOG_FREQUENCY="30/minute"
FIREHOL_LOG_BURST="2"

# CUSTOM SERVICES
#my dc++
server_my_dcpp_ports="tcp/1414 udp/1414"
client_my_dcpp_ports="default"

#webmin
server_webmin_ports="tcp/10000"
client_webmin_ports="default"

#bittorrent
server_bt_knuth_ports="tcp/46890 udp/46890"
client_bt_knuth_ports="default"

#igmp
server_igmp_ports="igmp/any"
client_igmp_ports="any"

# PORT FORWARDING
# dc++ on tcp/1414 udp/1414 (ISP blocks/limits default ports)
dnat to 10.0.1.10:1414 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto tcp
dport 1414
dnat to 10.0.1.10:1414 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto udp
dport 1414

# rdp on tcp/3389 udp/3389
dnat to 10.0.1.10:3389 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto tcp
dport 3389
dnat to 10.0.1.10:3389 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto udp
dport 3389

# bittorent on tcp/46890 or udp/46890 to Windows machine
dnat to 10.0.1.10:46890 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto
tcp dport 46890
dnat to 10.0.1.10:46890 inface "${INET_IF}" src not "${UNROUTABLE_IPS}" proto
udp dport 46890

# INTERNET
interface "${INET_IF}" internet src not "${UNROUTABLE_IPS}"
 policy drop
 protection strong 10/sec 10

 server "ident" reject with tcp-reset

 # Limit logging by dropping
   # external dhcp requests/broadcasts
        # external cups/ipp traffic
  # external netbios traffic
 server "dhcp cups netbios_dgm netbios_ns netbios_ssn microsoft_ds" drop

 # disabled http server "http" accept
 server " ssh  ping" accept

 client all accept

# LAN/VPN to SERVER
interface "${LAN_IF} ${VPN_IF}" lan src "${LAN_IPS} ${VPN_IPS}"
 policy reject

 server "cups dns dhcp http icmp samba ssh vnc xdmcp" accept

 client "ssh icmp samba" accept

# Internet to LAN
router inet2lan inface "${INET_IF}" outface "${LAN_IF}" src not
"${UNROUTABLE_IPS}" dst "${LAN_IPS}"
 masquerade reverse

 server "ident" reject with tcp-reset

 group with dst "10.0.1.10"
  server "my_dcpp" accept
  server "bt_knuth" accept
  server "rdp" accept
 group end

 client all accept

More information about the Firehol-support mailing list