[Firehol-support] Routing between virtual interfaces

Carlos Rodrigues cefrodrigues at gmail.com
Wed Jan 28 16:53:12 GMT 2009

On Wed, Jan 28, 2009 at 4:07 PM, M. O. <mofog at hotmail.com> wrote:
> Still, how could the routing possibly work though the firewall, and
> therefore the routing, has been shut down?

Routing is completely independent of the firewall.

When "/proc/sys/net/ipv4/ip_forward" is enabled, routing is enabled.
The firewall (iptables) allows you to control what can pass and what
can't, it does not control routing itself.

In fact you can do advanced routing configurations without having any
kind of firewall (just "man ip" and see the "route" section), but I
don't think that applies to your case.

Now, when you enable firehol, it enables the stateful part of iptables
(ip_conntrack). In its most simple aspect, this means when a
connection is established from A to B, this is memorized by the the
firewall so that corresponding traffic from B to A can flow. You can
see the list of memorized connections by catting the
"/proc/net/ip_conntrack" file.

If there are no problems when the firewall is down, but when it is up
sometimes it works and sometimes it doesn't, then it really looks like
a connection tracking issue. You can add "log" parameters to some
rules in the firehol configuration and then see what gets blocked. If
there's stuff (that should be allowed) being blocked by the firewall,
the logging information should provide some clues as to why.


Carlos Rodrigues

More information about the Firehol-support mailing list