[Firehol-support] 2.02 and src with multiple IPs - syntax change?

Phil Whineray phil at sanewall.org
Thu Mar 19 19:04:20 GMT 2015 

On Thu, Mar 19, 2015 at 12:07:24PM -0400, Whit Blauvelt wrote:
> Also, the comma separator worked in 2.0.0-rc.2.

Sorry about this but I don's seem to be able to reproduce it, can
you give a complete minimal config?

I tried this:

interface any any
	client all accept
	server4 ssh accept src 1.2.3.4,5.6.7.8,192.168.1.0/24

but it worked just fine:

$ sudo ./sbin/firehol.in | head

FireHOL 2.0.2
(C) Copyright 2003-2014 Costa Tsaousis <costa at tsaousis.gr>
(C) Copyright 2012-2014 Phil Whineray <phil at firehol.org>
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org

-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
    http://lists.firehol.org/mailman/listinfo/firehol-support/

$ sudo ./sbin/firehol.in x.conf 
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file x.conf: OK
FireHOL: Activating new firewall (52 rules): OK
Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : ^C

If I make it server instead of server4, I get an error but from
ip6tables as expected, not from iptables as your error shows:

2$ sudo ./sbin/firehol.in x.conf 
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file x.conf: OK
FireHOL: Activating new firewall (52 rules):

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 3 of x.conf
COMMAND : /sbin/ip6tables -t filter -A in_any_ssh_s4 -p tcp -s
1.2.3.4\,5.6.7.8\,192.168.1.0/24 --sport 1024:65535 --dport 22 -m
conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT 
OUTPUT  : 

ip6tables v1.4.14: host/network `1.2.3.4' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.



--------------------------------------------------------------------------------
ERROR   : # 2.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line 3 of x.conf
COMMAND : /sbin/ip6tables -t filter -A out_any_ssh_s4 -p tcp --sport 22
-d 1.2.3.4\,5.6.7.8\,192.168.1.0/24 --dport 1024:65535 -m conntrack
--ctstate ESTABLISHED -j ACCEPT 
OUTPUT  : 

ip6tables v1.4.14: host/network `1.2.3.4' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.

 FAILED


FireHOL: Restoring old firewall: OK

Is there some weird character after your 192.168.1.0/24? There is also
an extra backslash in the error command that you showed:

> ERROR   : # 1.
> WHAT    : A runtime command failed to execute (returned error 2).
> SOURCE  : line 16 of /etc/firehol/firehol.conf
> COMMAND : /sbin/iptables -t filter -A in_world_ssh_s2 -p tcp -s 1.2.3.4\,5.6.7.8\,192.168.1.0/24\ --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
> OUTPUT  :

> iptables v1.4.4: host/network `1.2.3.4,5.6.7.8,192.168.1.0/24' not found
> Try `iptables -h' or 'iptables --help' for more information.


Cheers
Phil

More information about the Firehol-support mailing list