[Firehol-support] 2.02 and src with multiple IPs - syntax change?

Tsaousis, Costa costa at tsaousis.gr
Thu Mar 19 23:12:00 GMT 2015


Phil I tried it on a fully updated gentoo in explain mode:

(check the generated commands and the errors)


box firehol-2.0.2 # ./sbin/firehol.in explain

FireHOL 2.0.2
(C) Copyright 2003-2014 Costa Tsaousis <costa at tsaousis.gr>
(C) Copyright 2012-2014 Phil Whineray <phil at firehol.org>
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org

-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
    http://lists.firehol.org/mailman/listinfo/firehol-support/
-------------------------------------------------------------------------

You can now start typing firehol configuration directives.
Special interactive commands: help, show, quit

# FireHOL [:] > interface4 eth0 internet

# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 1
# Command  : interface4 eth0 internet

# Creating chain 'in_internet' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_internet
/sbin/iptables -t filter -A INPUT -i eth0 -j in_internet

# Creating chain 'out_internet' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_internet
/sbin/iptables -t filter -A OUTPUT -o eth0 -j out_internet

# > OK <
# FireHOL [interface:internet] > server ssh accept src
1.2.3.4,5.6.7.8,192.168.1.0/24

# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 2
# Command  : server ssh accept src 1.2.3.4,5.6.7.8,192.168.1.0/24

# Preparing for service 'ssh' of type 'server' under interface 'internet'

# Creating chain 'in_internet_ssh_s1' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_s1
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_s1

# Creating chain 'out_internet_ssh_s1' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_s1
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_s1

# Running simple rules for  server 'ssh'

# Rules for ssh server, with server port(s) 'tcp/22' and client
port(s) 'default'
/sbin/iptables -t filter -A in_internet_ssh_s1 -p tcp -s
1.2.3.4\,5.6.7.8\,192.168.1.0/24 --sport 1024:65535 --dport 22 -m
conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_internet_ssh_s1 -p tcp --sport 22 -d
1.2.3.4\,5.6.7.8\,192.168.1.0/24 --dport 1024:65535 -m conntrack
--ctstate ESTABLISHED -j ACCEPT

# > OK <



This is now v3:

box # firehol explain

FireHOL $Id: fbd64e9ef9e9a1a383ba09cc3d9a93a408b9abb7 $
(C) Copyright 2003-2015 Costa Tsaousis <costa at tsaousis.gr>
(C) Copyright 2012-2015 Phil Whineray <phil at firehol.org>
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org

-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
    http://lists.firehol.org/mailman/listinfo/firehol-support/
-------------------------------------------------------------------------

You can now start typing firehol configuration directives.
Special interactive commands: help, show, quit

# FireHOL [:] > in4
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 1 at Interactive User Input
# Command  : interface4 eth0 world

# Creating chain 'in_world' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_world
/sbin/iptables -t filter -A INPUT -i eth0 -j in_world

# Creating chain 'out_world' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_world
/sbin/iptables -t filter -A OUTPUT -o eth0 -j out_world

# > OK <
# FireHOL [interface:world] > server ssh accept src
1.2.3.4,5.6.7.8,192.168.1.0/24
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 2 at Interactive User Input
# Command  : server ssh accept src 1.2.3.4,5.6.7.8,192.168.1.0/24

# Preparing for service 'ssh' of type 'server' under interface 'world'

# Creating chain 'in_world_ssh_s1' under 'in_world' in table 'filter'

# Creating chain 'out_world_ssh_s1' under 'out_world' in table 'filter'

# Simple rules for  server 'ssh'

# Rules for ssh server, with server port(s) 'tcp/ 22' and client
port(s) '1024:65535'
/sbin/iptables -t filter -A in_world -p tcp -s 1.2.3.4 --sport
1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A in_world -p tcp -s 5.6.7.8 --sport
1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A in_world -p tcp -s 192.168.1.0/24 --sport
1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j
ACCEPT
/sbin/iptables -t filter -A out_world -p tcp --sport 22 -d 1.2.3.4
--dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_world -p tcp --sport 22 -d 5.6.7.8
--dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_world -p tcp --sport 22 -d
192.168.1.0/24 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED
-j ACCEPT

# > OK <


On Thu, Mar 19, 2015 at 10:51 PM, Whit Blauvelt <whit at transpect.com> wrote:
> Hi Phil,
>
> On further testing it looks like this is specific to something about the
> older Ubuntu 10.04 system (with iptables 1.4.4) I was putting it on. On
> 12.04 there's no such problem. Since 10.04 is going out of support the end
> of next month anyway, probably not something worth worrying about. I have
> FireHOL on a variety of systems, but this may be the only time I've put it
> on 10.04.
>
> Best,
>
> Whit
>
> On Thu, Mar 19, 2015 at 07:04:20PM +0000, Phil Whineray wrote:
>> On Thu, Mar 19, 2015 at 12:07:24PM -0400, Whit Blauvelt wrote:
>> > Also, the comma separator worked in 2.0.0-rc.2.
>>
>> Sorry about this but I don's seem to be able to reproduce it, can
>> you give a complete minimal config?
>>
>> I tried this:
>>
>> interface any any
>>       client all accept
>>       server4 ssh accept src 1.2.3.4,5.6.7.8,192.168.1.0/24
>>
>> but it worked just fine:
>>
>> $ sudo ./sbin/firehol.in | head
>>
>> FireHOL 2.0.2
>> (C) Copyright 2003-2014 Costa Tsaousis <costa at tsaousis.gr>
>> (C) Copyright 2012-2014 Phil Whineray <phil at firehol.org>
>> FireHOL is distributed under the GPL v2+.
>> Home Page: http://firehol.org
>>
>> -------------------------------------------------------------------------
>> Get notified of new FireHOL releases by subscribing to the mailing list:
>>     http://lists.firehol.org/mailman/listinfo/firehol-support/
>>
>> $ sudo ./sbin/firehol.in x.conf
>> FireHOL: Saving your old firewall to a temporary file: OK
>> FireHOL: Processing file x.conf: OK
>> FireHOL: Activating new firewall (52 rules): OK
>> Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : ^C
>>
>> If I make it server instead of server4, I get an error but from
>> ip6tables as expected, not from iptables as your error shows:
>>
>> 2$ sudo ./sbin/firehol.in x.conf
>> FireHOL: Saving your old firewall to a temporary file: OK
>> FireHOL: Processing file x.conf: OK
>> FireHOL: Activating new firewall (52 rules):
>>
>> --------------------------------------------------------------------------------
>> ERROR   : # 1.
>> WHAT    : A runtime command failed to execute (returned error 2).
>> SOURCE  : line 3 of x.conf
>> COMMAND : /sbin/ip6tables -t filter -A in_any_ssh_s4 -p tcp -s
>> 1.2.3.4\,5.6.7.8\,192.168.1.0/24 --sport 1024:65535 --dport 22 -m
>> conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
>> OUTPUT  :
>>
>> ip6tables v1.4.14: host/network `1.2.3.4' not found
>> Try `ip6tables -h' or 'ip6tables --help' for more information.
>>
>>
>>
>> --------------------------------------------------------------------------------
>> ERROR   : # 2.
>> WHAT    : A runtime command failed to execute (returned error 2).
>> SOURCE  : line 3 of x.conf
>> COMMAND : /sbin/ip6tables -t filter -A out_any_ssh_s4 -p tcp --sport 22
>> -d 1.2.3.4\,5.6.7.8\,192.168.1.0/24 --dport 1024:65535 -m conntrack
>> --ctstate ESTABLISHED -j ACCEPT
>> OUTPUT  :
>>
>> ip6tables v1.4.14: host/network `1.2.3.4' not found
>> Try `ip6tables -h' or 'ip6tables --help' for more information.
>>
>>  FAILED
>>
>>
>> FireHOL: Restoring old firewall: OK
>>
>> Is there some weird character after your 192.168.1.0/24? There is also
>> an extra backslash in the error command that you showed:
>>
>> > ERROR   : # 1.
>> > WHAT    : A runtime command failed to execute (returned error 2).
>> > SOURCE  : line 16 of /etc/firehol/firehol.conf
>> > COMMAND : /sbin/iptables -t filter -A in_world_ssh_s2 -p tcp -s 1.2.3.4\,5.6.7.8\,192.168.1.0/24\ --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW\,ESTABLISHED -j ACCEPT
>> > OUTPUT  :
>>
>> > iptables v1.4.4: host/network `1.2.3.4,5.6.7.8,192.168.1.0/24' not found
>> > Try `iptables -h' or 'iptables --help' for more information.
>>
>>
>> Cheers
>> Phil



More information about the Firehol-support mailing list