[Firehol-support] Need help setting up a service definition for znc

Tsaousis, Costa costa at tsaousis.gr
Tue Jan 27 10:27:58 GMT 2015

Hi Simon,

1. In general, if firehol is dropping traffic, you should have logs
about this. You could use these logs to identify what needs to be
matched in order to allow the traffic.
2. IRC is a complex protocol, this is why there are kernel modules for
it, to allow matching related sockets.

The kernel module allows setting the ports the IRC servers are listening:

 # modinfo nf_conntrack_irc
alias:          nfct-helper-irc
alias:          ip_conntrack_irc
license:        GPL
description:    IRC (DCC) connection tracking helper
author:         Harald Welte <laforge at netfilter.org>
depends:        nf_conntrack
intree:         Y
vermagic:       3.14.14-gentoo SMP preempt mod_unload modversions
parm:           ports:port numbers of IRC servers (array of ushort)
parm:           max_dcc_channels:max number of expected DCC channels
per IRC session (uint)
parm:           dcc_timeout:timeout on for unestablished DCC channels (uint)

You can set options to this module permanently, usually by adding a
new file with an options line to /etc/modprobe.d/.
Check your distribution documentation for this.

You can also do this by hand:

rmmod nf_nat_irc nf_conntrack_irc
modprobe -v nf_conntrack_irc ports=6660,6667,9999
modprobe -v nf_nat_irc

Keep in mind that the above will have to be done at every boot. So it
is preferred to use the /etc/modprobe.d method.

Once you have setup the kernel module properly, you should re-define
the firehol irc service too.
The default is this:


it should become:

server_irc_ports="tcp/6667 tcp/6660 tcp/9999"

Then, just do 'server irc accept' for your server and 'client irc
accept' for your client (since you have a proxy, you most probably
need both server and client statements).

If still doesn't work, check your logs for dropped packets.


On Tue, Jan 27, 2015 at 10:19 AM, Simon Szustkowski <mail at simonszu.de> wrote:
> Hey guys,
> i could need some help setting up a service definition for znc (an IRC
> bouncer).
> The behaviour of znc is that it spawns a server on port 31337/tcp and
> connects as a client to several IRC networks. The networks i have
> configured in my installation are using the ports 6667/tcp, 6660/tcp
> and 9999/tcp.
> The problem i have is: The server runs fine, but it has some problems
> with connecting to the networks. It is definitely a firehol/general
> firewall problem, because everything works as expected when i disable
> firehol completely.
> My current service definition for znc looks like this:
> server_znc_ports="tcp/31337"
> client_znc_ports="default"
> The funny thing is: When i change something in the client ports config,
> and apply the new configuration, znc manages to connect to the networks
> for some time, but will soon disconnect with a "No route to host"
> error.
> I assume there is some kind of port shifting happening, so i tried to
> include the kernel modules which are also part of the IRC service
> definition. The result: znc was no more reachable at all, even the
> server side was not reachable.
> So i have no idea how to resolve this issue, and therefore i am asking
> here, hoping that someone of you has already created a working config,
> or has some other idea how to check what's going on here.
> Thank you very much.
> Yours, Simon
