[Firehol-support] Need help setting up a service definition for znc

Tsaousis, Costa costa at tsaousis.gr
Tue Jan 27 10:31:39 GMT 2015


You should add the znc port to the module too:

rmmod nf_nat_irc nf_conntrack_irc
modprobe -v nf_conntrack_irc ports=6660,6667,9999,31337
modprobe -v nf_nat_irc

and in firehol, you are going to need:

server znc accept
client irc accept

Costa


On Tue, Jan 27, 2015 at 12:27 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi Simon,
>
> 1. In general, if firehol is dropping traffic, you should have logs
> about this. You could use these logs to identify what needs to be
> matched in order to allow the traffic.
> 2. IRC is a complex protocol, this is why there are kernel modules for
> it, to allow matching related sockets.
>
> The kernel module allows setting the ports the IRC servers are listening:
>
>  # modinfo nf_conntrack_irc
> filename:
> /lib/modules/3.14.14-gentoo/kernel/net/netfilter/nf_conntrack_irc.ko
> alias:          nfct-helper-irc
> alias:          ip_conntrack_irc
> license:        GPL
> description:    IRC (DCC) connection tracking helper
> author:         Harald Welte <laforge at netfilter.org>
> depends:        nf_conntrack
> intree:         Y
> vermagic:       3.14.14-gentoo SMP preempt mod_unload modversions
> parm:           ports:port numbers of IRC servers (array of ushort)
> parm:           max_dcc_channels:max number of expected DCC channels
> per IRC session (uint)
> parm:           dcc_timeout:timeout on for unestablished DCC channels (uint)
>
> You can set options to this module permanently, usually by adding a
> new file with an options line to /etc/modprobe.d/.
> Check your distribution documentation for this.
>
> You can also do this by hand:
>
> rmmod nf_nat_irc nf_conntrack_irc
> modprobe -v nf_conntrack_irc ports=6660,6667,9999
> modprobe -v nf_nat_irc
>
> Keep in mind that the above will have to be done at every boot. So it
> is preferred to use the /etc/modprobe.d method.
>
> Once you have setup the kernel module properly, you should re-define
> the firehol irc service too.
> The default is this:
>
> server_irc_ports="tcp/6667"
> client_irc_ports="default"
>
> it should become:
>
> server_irc_ports="tcp/6667 tcp/6660 tcp/9999"
> client_irc_ports="default"
>
> Then, just do 'server irc accept' for your server and 'client irc
> accept' for your client (since you have a proxy, you most probably
> need both server and client statements).
>
> If still doesn't work, check your logs for dropped packets.
>
> Costa
>
>
>
> On Tue, Jan 27, 2015 at 10:19 AM, Simon Szustkowski <mail at simonszu.de> wrote:
>> Hey guys,
>>
>> i could need some help setting up a service definition for znc (an IRC
>> bouncer).
>> The behaviour of znc is that it spawns a server on port 31337/tcp and
>> connects as a client to several IRC networks. The networks i have
>> configured in my installation are using the ports 6667/tcp, 6660/tcp
>> and 9999/tcp.
>> The problem i have is: The server runs fine, but it has some problems
>> with connecting to the networks. It is definitely a firehol/general
>> firewall problem, because everything works as expected when i disable
>> firehol completely.
>> My current service definition for znc looks like this:
>>
>> server_znc_ports="tcp/31337"
>> client_znc_ports="default"
>>
>> The funny thing is: When i change something in the client ports config,
>> and apply the new configuration, znc manages to connect to the networks
>> for some time, but will soon disconnect with a "No route to host"
>> error.
>>
>> I assume there is some kind of port shifting happening, so i tried to
>> include the kernel modules which are also part of the IRC service
>> definition. The result: znc was no more reachable at all, even the
>> server side was not reachable.
>>
>> So i have no idea how to resolve this issue, and therefore i am asking
>> here, hoping that someone of you has already created a working config,
>> or has some other idea how to check what's going on here.
>>
>> Thank you very much.
>>
>> Yours, Simon
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list