[Firehol-support] Disable ip_conntrack table

Sim simvirus at gmail.com
Mon Dec 17 09:15:24 GMT 2007


>
> a. policy accept
>
> router wan2lan inface eth0 outface eth1
>         policy accept
>
> there is no need to define the opposite router.
>

Hi Costa,
this is the output with "policy accept" for "router"


FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
FireHOL: Processing file /etc/firehol/firehol.conf:
--------------------------------------------------------------------------------
ERROR #: 1
WHAT   : Creating chain 'out_wan2lan' under 'FORWARD' in table 'filter'
WHY    : Primary command is 'router' but 'interface' is required.
COMMAND: policy accept
SOURCE : line 90 of /etc/firehol/firehol.conf


NOTICE: No changes made to your firewall.
                                                           [FAILED]



> b. Use "anystateless" instead of "all"
>
> router wan2lan inface eth0 outface eth1
>         server anystateless route1 accept
>         client anystateless route2 accept
>

No error but without good results:

# cat /proc/net/ip_conntrack  | wc -l
20312



> c. Just append this iptables command to your firehol.conf:
>
> iptables -t filter -A FORWARD -j ACCEPT
>

Another result with no error, but with connection tracker  at work

# cat /proc/net/ip_conntrack  | wc -l
21734

Thanks
Sim




More information about the Firehol-support mailing list