[Firehol-support] Firehol router command when inface and outface the same

Phil Whineray phil at sanewall.org
Wed Jun 17 18:46:45 BST 2015


The use of inface = outface is just fine.

Your problem is that most rules generated by FireHOL use the stateful
connection tracker. No reply (in this case a ping reply) is permitted
unless the correct traffic was first sent.

You should be able to use the "anystateless" service to do what you want,
just note the extra parameter compared to normal):


On Wed, Jun 17, 2015 at 12:27:23PM -0400, Whit Blauvelt wrote:
> Hi,
> I have a somewhat strange LAN layout, where the main LAN has more than one
> external firewall. In this case an OpenVPN server is on one firewall (not
> firehol), while a different firewall (firehol) is among other things the
> default NAT gateway for several other VLANs on a VMware server sitting on
> the LAN. 
> When traffic comes in via OpenVPN destined for VMs on those VMware VLANs,
> the default route back hits the firehol firewall, which as a route to send
> the traffic onward to the OpenVPN server. In non-firehol iptables setups
> this would work. In this case though, even with
> interface4 eth0 LAN
>         client all accept
>         server all accept
> and 
> router4 lan2vpn inface eth0 outface eth0
>         server all accept
> traffic coming from the VMware VLANs gets blocked by the firehol rules.
> Jun 17 12:24:42 systemname kernel: [29194586.424759] PASS-unknown:IN=eth0
> OUT=eth0 MAC=00:19:b9:f9:9e:de:00:00:5e:00:01:c0:08:00 SRC=
> DST= LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23980 PROTO=ICMP TYPE=0
> CODE=0 ID=23798 SEQ=18
> Is this something firehol can't handle that I should code for by hand, if I
> want to solve it here?
> Whit
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list