[Firehol-support] Help Needed - Debugging Implicitly Dropped Forwarded Packets

Federico Sevilla III jijo at fs3.ph
Tue Dec 29 05:01:17 GMT 2009


I hope someone can help me debug a situation regarding some implicitly
dropped forwarded packets. Here is one sample log message:

        Dec 29 12:44:52 firewall 'PASS-unknown:' IN=eth0 OUT=eth2 MAC=00:15:17:bf:70:64:00:11:d8:b1:c2:ba:08:00  SRC= DST= LEN=52 TOS=10 PREC=0x00 TTL=63 ID=16479 DF PROTO=TCP SPT=48985 DPT=80 SEQ=2105617222 ACK=3098975575 WINDOW=46 ACK URGP=0 

On the outset, this looks really simple. For what should be a very
"open" setup, just add:

        router foo inface eth0 outface eth2
                server all accept

But the above message about this implicitly dropped forwarded packet
appeared with exactly that in the Firehol configuration file (properly
restarted after the modification). Also to note that when Firehol is
stopped, things work just fine. Unfortunately that is not how we want
the firewall to operate. ;)

Now to describe the network, which may be a bit weird. These are two
separate /24 networks with the firewall in the middle. is
the workstation and is the server. The firewall has IP
addresses and physical interfaces on each subnet. The firewall's address is the default gateway of is a virtual server, using OpenVZ. Its default gateway is the
OpenVZ internal address, using the default venet. The hardware node,
with multiple network cards, sits on both the and networks because of some other servers it hosts which
shouldn't go through the firewall anymore to remove a bottleneck.

Because of the routing tables on the OpenVZ hardware node, traceroutes
from to no longer pass through the firewall. The
traceroutes work when Firehol on the firewall is stopped, but no longer
work when Firehol on the firewall is started.

A trace from to would be:

1. (firewall)
2. (hardware node)

Meanwhile, a trace from to would be:

1. (hardware node)

When Firehol is stopped, both ping and HTTP works fine. With Firehol

1. is able to ping
2. is NOT able to ping
3. is able to connect to port 80 (eg: via
telnet) but no responses are received to any data sent.

Would appreciate advise on what Firehol rules should be able to solve
this particular scenario.

Thank you very much.


Federico Sevilla III
F S 3 Consulting Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20091229/f1680e8d/attachment.sig>

More information about the Firehol-support mailing list