[Firehol-support] Need help setting up a service definition for znc

Tsaousis, Costa costa at tsaousis.gr
Wed Jan 28 01:05:57 CET 2015


Simon,

every time you restart firehol, znc (or the irc server) finds a short
time frame where all connections are allowed. Once it establishes a
connection, firehol allows it to remain after the firewall is
completely activated. This is by design (and there are a couple of
options to further control it - the key of which is fast activation
which instantly activates the new firewall).

This means that if you restart znc without restarting firehol, you
should have at least a packet dropped: the initial client connection
of znc client to irc server.

If you don't have such a packet in your logs, then it might be
something else. To find it, I would tcpdump the traffic while
restarting firehol to find out what znc and the irc server are doing
and compare it with a tcpdump while the firehol is running.

For example, If I recall correctly, many irc servers depend on identd.
The irc server may be doing an ident back to you. By default firehol
drops this packet (with logging), but the irc server may have to
timeout before deciding if it will allow or deny access. Probably if
you change the interface policy to reject the irc server will get the
rejection and proceed.

Also, the irc server may have been configured to ping you back. It is
unusual, but it might be the case if this is the only packet you see
dropped. Try allowing ping too.

A tcpdump will most probably tell you what is happening since you will
be able to compare the traffic with and without the firewall active.

Costa


On Tue, Jan 27, 2015 at 4:46 PM, Simon Szustkowski <mail at simonszu.de> wrote:
> Hi Costa,
>
> thank you very much for your help.
>
> I have checked the log file, but it seems that the only packets which
> are blocked are some ICMP packets.
> So i investigated further, and made the following discoveries:
>
> Since the znc acts as a server on port 31337 and as a client on the
> "real" IRC ports, the error has to be on the client side. So i enabled
> "client all accept" in the interface definition, and
> "client_znc_ports="any"" in the service definition (just for testing).
> After executing 'firehol start', znc was able to connect to the IRC
> networks.
> But the funny thing is: After a restart of znc it wasn't able to
> connect anymore. I needed to alter the client port definition in the
> service definition again, this time to "default" and execute 'firehol
> start' again, while znc was running, to get a new connection to the IRC
> networks.
> I reproduced it, and it was every time the same. znc wasn't able to
> connect to the IRC networks directly after start, but only after
> applying firehol while znc was already running.
> I don't know, but shouldn't every client running on the firewalled
> machine be able to connect to the internet, since i allowed every
> client connection in firehol? In this case, znc acts as a normal IRC
> client, connecting to the networks.
>
> Of course, i loaded both modules with proper port definitions.
>
>
>
> ...hmm. I have tested IRC client connections from the firewalled
> machine with the help of irssi. Works like a charm. So i don't really
> know why my current firewall configuration works for znc acting as a
> server, but not as a client, but for irssi as a client, and why znc
> needs the workaround of firing 'firehol start' before it can work as a
> client...
>
> So i'm stuck as before. Sorry.
>
> Yours, Simon


More information about the Firehol-support mailing list