[Firehol-support] Routing between virtual interfaces
cefrodrigues at gmail.com
Wed Jan 28 16:53:12 GMT 2009
On Wed, Jan 28, 2009 at 4:07 PM, M. O. <mofog at hotmail.com> wrote:
> Still, how could the routing possibly work though the firewall, and
> therefore the routing, has been shut down?
Routing is completely independent of the firewall.
When "/proc/sys/net/ipv4/ip_forward" is enabled, routing is enabled.
The firewall (iptables) allows you to control what can pass and what
can't, it does not control routing itself.
In fact you can do advanced routing configurations without having any
kind of firewall (just "man ip" and see the "route" section), but I
don't think that applies to your case.
Now, when you enable firehol, it enables the stateful part of iptables
(ip_conntrack). In its most simple aspect, this means when a
connection is established from A to B, this is memorized by the the
firewall so that corresponding traffic from B to A can flow. You can
see the list of memorized connections by catting the
If there are no problems when the firewall is down, but when it is up
sometimes it works and sometimes it doesn't, then it really looks like
a connection tracking issue. You can add "log" parameters to some
rules in the firehol configuration and then see what gets blocked. If
there's stuff (that should be allowed) being blocked by the firewall,
the logging information should provide some clues as to why.
More information about the Firehol-support