[Firehol-support] Followup: FireHOL, OpenVPN bridge and routing
Costa Tsaousis
costa at tsaousis.gr
Thu Feb 26 00:04:27 CET 2009
Tsolakos Stavros wrote:
> Hi again.
>
> I had messed up some permissions and the user "syslog" could not write
> to syslog. Here are the messages I get when I am trying to connect to
> the DSL router's administrative page (192.168.200.1) from a VPN
> connected client with IP=192.168.200.202. "vitrina" is the name of the
> machine firehol runs on:
>
> Feb 22 22:58:58 vitrina kernel: [ 1244.956942] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.200.202 DST=192.168.200.1
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50621 DF PROTO=TCP SPT=50266 DPT=80
> WINDOW=5840 RES=0x00 SYN URGP=0
> Feb 22 22:59:01 vitrina kernel: [ 1247.954931] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.200.202 DST=192.168.200.1
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50622 DF PROTO=TCP SPT=50266 DPT=80
> WINDOW=5840 RES=0x00 SYN URGP=0
> Feb 22 22:59:05 vitrina kernel: [ 1252.505314] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=342 TOS=0x00 PREC=0x00 TTL=4 ID=40149 PROTO=UDP SPT=1900 DPT=1900
> LEN=322
> Feb 22 22:59:05 vitrina kernel: [ 1252.505602] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=344 TOS=0x00 PREC=0x00 TTL=4 ID=40150 PROTO=UDP SPT=1900 DPT=1900
> LEN=324
> Feb 22 22:59:05 vitrina kernel: [ 1252.505881] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=354 TOS=0x00 PREC=0x00 TTL=4 ID=40151 PROTO=UDP SPT=1900 DPT=1900
> LEN=334
> Feb 22 22:59:05 vitrina kernel: [ 1252.506167] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=348 TOS=0x00 PREC=0x00 TTL=4 ID=40152 PROTO=UDP SPT=1900 DPT=1900
> LEN=328
> Feb 22 22:59:05 vitrina kernel: [ 1252.506427] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=289 TOS=0x00 PREC=0x00 TTL=4 ID=40153 PROTO=UDP SPT=1900 DPT=1900
> LEN=269
> Feb 22 22:59:06 vitrina kernel: [ 1253.514597] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=342 TOS=0x00 PREC=0x00 TTL=4 ID=40161 PROTO=UDP SPT=1900 DPT=1900
> LEN=322
> Feb 22 22:59:07 vitrina kernel: [ 1254.523877] 'PASS-unknown:'IN=br0
> OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.200.1 DST=239.255.255.250
> LEN=342 TOS=0x00 PREC=0x00 TTL=4 ID=40173 PROTO=UDP SPT=1900 DPT=1900
> LEN=322
>
> I don't understand why they are rejected. Perhaps something that has to
> do with PHYSIN/PHYSOUT?
>
> Thanks again.
>
> Stavros
>
Stavros,
If you check the logs you will see that IN= and OUT= are set to br0.
Packets are coming in from the bridge and are going out back to the
bridge, but you don't have such a router defined in firehol.conf.
For firehol, IN= is inface and OUT= is outface (as far as the requests
are concerned).
Another way is to use physin and physout instead of inface and outface
in firehol.conf.
Firehol's physin matched PHYSIN= and physout matches PHYSOUT=, so that:
router a_name physin eth0 physout tap0
policy accept
router another_name physin eth0 physout pan0
server http accept
client smtp accept
I hope you got the idea.
Costa
More information about the Firehol-support
mailing list