[Firehol-support] Disable ip_conntrack table
Sim
simvirus at gmail.com
Mon Dec 17 09:15:24 GMT 2007
>
> a. policy accept
>
> router wan2lan inface eth0 outface eth1
> policy accept
>
> there is no need to define the opposite router.
>
Hi Costa,
this is the output with "policy accept" for "router"
FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf:
--------------------------------------------------------------------------------
ERROR #: 1
WHAT : Creating chain 'out_wan2lan' under 'FORWARD' in table 'filter'
WHY : Primary command is 'router' but 'interface' is required.
COMMAND: policy accept
SOURCE : line 90 of /etc/firehol/firehol.conf
NOTICE: No changes made to your firewall.
[FAILED]
> b. Use "anystateless" instead of "all"
>
> router wan2lan inface eth0 outface eth1
> server anystateless route1 accept
> client anystateless route2 accept
>
No error but without good results:
# cat /proc/net/ip_conntrack | wc -l
20312
> c. Just append this iptables command to your firehol.conf:
>
> iptables -t filter -A FORWARD -j ACCEPT
>
Another result with no error, but with connection tracker at work
# cat /proc/net/ip_conntrack | wc -l
21734
Thanks
Sim
More information about the Firehol-support
mailing list