[Firehol-support] 2.02 and src with multiple IPs - syntax change?

Whit Blauvelt whit at transpect.com
Thu Mar 19 21:51:46 CET 2015


Hi Phil,

On further testing it looks like this is specific to something about the
older Ubuntu 10.04 system (with iptables 1.4.4) I was putting it on. On
12.04 there's no such problem. Since 10.04 is going out of support the end
of next month anyway, probably not something worth worrying about. I have
FireHOL on a variety of systems, but this may be the only time I've put it
on 10.04.

Best,

Whit

On Thu, Mar 19, 2015 at 07:04:20PM +0000, Phil Whineray wrote:
> On Thu, Mar 19, 2015 at 12:07:24PM -0400, Whit Blauvelt wrote:
> > Also, the comma separator worked in 2.0.0-rc.2.
> 
> Sorry about this but I don's seem to be able to reproduce it, can
> you give a complete minimal config?
> 
> I tried this:
> 
> interface any any
> 	client all accept
> 	server4 ssh accept src 1.2.3.4,5.6.7.8,192.168.1.0/24
> 
> but it worked just fine:
> 
> $ sudo ./sbin/firehol.in | head
> 
> FireHOL 2.0.2
> (C) Copyright 2003-2014 Costa Tsaousis <costa at tsaousis.gr>
> (C) Copyright 2012-2014 Phil Whineray <phil at firehol.org>
> FireHOL is distributed under the GPL v2+.
> Home Page: http://firehol.org
> 
> -------------------------------------------------------------------------
> Get notified of new FireHOL releases by subscribing to the mailing list:
>     http://lists.firehol.org/mailman/listinfo/firehol-support/
> 
> $ sudo ./sbin/firehol.in x.conf 
> FireHOL: Saving your old firewall to a temporary file: OK
> FireHOL: Processing file x.conf: OK
> FireHOL: Activating new firewall (52 rules): OK
> Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : ^C
> 
> If I make it server instead of server4, I get an error but from
> ip6tables as expected, not from iptables as your error shows:
> 
> 2$ sudo ./sbin/firehol.in x.conf 
> FireHOL: Saving your old firewall to a temporary file: OK
> FireHOL: Processing file x.conf: OK
> FireHOL: Activating new firewall (52 rules):
> 
> --------------------------------------------------------------------------------
> ERROR   : # 1.
> WHAT    : A runtime command failed to execute (returned error 2).
> SOURCE  : line 3 of x.conf
> COMMAND : /sbin/ip6tables -t filter -A in_any_ssh_s4 -p tcp -s
> 1.2.3.4\,5.6.7.8\,192.168.1.0/24 --sport 1024:65535 --dport 22 -m
> conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT 
> OUTPUT  : 
> 
> ip6tables v1.4.14: host/network `1.2.3.4' not found
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> 
> 
> 
> --------------------------------------------------------------------------------
> ERROR   : # 2.
> WHAT    : A runtime command failed to execute (returned error 2).
> SOURCE  : line 3 of x.conf
> COMMAND : /sbin/ip6tables -t filter -A out_any_ssh_s4 -p tcp --sport 22
> -d 1.2.3.4\,5.6.7.8\,192.168.1.0/24 --dport 1024:65535 -m conntrack
> --ctstate ESTABLISHED -j ACCEPT 
> OUTPUT  : 
> 
> ip6tables v1.4.14: host/network `1.2.3.4' not found
> Try `ip6tables -h' or 'ip6tables --help' for more information.
> 
>  FAILED
> 
> 
> FireHOL: Restoring old firewall: OK
> 
> Is there some weird character after your 192.168.1.0/24? There is also
> an extra backslash in the error command that you showed:
> 
> > ERROR   : # 1.
> > WHAT    : A runtime command failed to execute (returned error 2).
> > SOURCE  : line 16 of /etc/firehol/firehol.conf
> > COMMAND : /sbin/iptables -t filter -A in_world_ssh_s2 -p tcp -s 1.2.3.4\,5.6.7.8\,192.168.1.0/24\ --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
> > OUTPUT  :
> 
> > iptables v1.4.4: host/network `1.2.3.4,5.6.7.8,192.168.1.0/24' not found
> > Try `iptables -h' or 'iptables --help' for more information.
> 
> 
> Cheers
> Phil


More information about the Firehol-support mailing list