[Firehol-support] Disable ip_conntrack table

Sim simvirus at gmail.com
Mon Dec 17 09:15:24 GMT 2007

> a. policy accept
> router wan2lan inface eth0 outface eth1
>         policy accept
> there is no need to define the opposite router.

Hi Costa,
this is the output with "policy accept" for "router"

FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
FireHOL: Processing file /etc/firehol/firehol.conf:
ERROR #: 1
WHAT   : Creating chain 'out_wan2lan' under 'FORWARD' in table 'filter'
WHY    : Primary command is 'router' but 'interface' is required.
COMMAND: policy accept
SOURCE : line 90 of /etc/firehol/firehol.conf

NOTICE: No changes made to your firewall.

> b. Use "anystateless" instead of "all"
> router wan2lan inface eth0 outface eth1
>         server anystateless route1 accept
>         client anystateless route2 accept

No error but without good results:

# cat /proc/net/ip_conntrack  | wc -l

> c. Just append this iptables command to your firehol.conf:
> iptables -t filter -A FORWARD -j ACCEPT

Another result with no error, but with connection tracker  at work

# cat /proc/net/ip_conntrack  | wc -l


More information about the Firehol-support mailing list