[Firehol-support] Could not surf on the firewall box help needed

David Touzeau david at articatech.com
Sat Jan 27 16:30:32 GMT 2018


Hi all,

 

I'm sure i'm missing something, but i did not understand why ???

 

On the linux box where Firehol is installed i cannot reach Internet.

>From a LAN address, there is no issue :

 

****************************************************************************
************

root at router:~# curl --verbose http://www.laposte.net

* Rebuilt URL to: http://www.laposte.net/

*   Trying 94.124.132.36...

* TCP_NODELAY set

* connect to 94.124.132.36 port 80 failed: Connection refused

* Failed to connect to www.laposte.net port 80: Connection refused

* Closing connection 0

curl: (7) Failed to connect to www.laposte.net port 80: Connection refused

****************************************************************************
************

 

 

What i'm missing ??? 

Here my config. 

 

Eth0 is LAN

Eth1 is WAN

 

****************************************************************************
************

# DHCP: 0 ()

#ipset v.6.30 compatible

version 5

#Trusted Networks

#xt_ndpi not installed

FIREHOL_AUTOSAVE="/home/artica/firewall/firehol-saved-ipv4.txt"

FIREHOL_LOG_PREFIX="FIREHOL:"

FIREHOL_TPROXY_MARK="0xffff"

FIREHOL_TPROXY_IP_ROUTE_TABLE="999"

FIREHOL_TPROXY_ROUTE_DEVICE="eth0"

FIREHOL_DROP_INVALID="0"

FIREHOL_LOG_MODE="LOG"

MDPI="-m  ndpi "

IPSET_CMD="/sbin/ipset"

ipv4 ipset create proxy_white_ssl hash:ip

ipv4 ipset addfile proxy_white_ssl ips proxy_ssl_whitelist

ipv4 ipset create MyIPs hash:ip

ipv4 ipset addfile MyIPs ips MyIPs

 

# * * * * Transparent Proxy * * * *

transparent_squid 58630 squid inface eth0

transparent_proxy 443 58631 squid inface eth0

# Tproxy: 0

 

 

# * * * * ip_forward =  1 * * * *

# * * * * rp_filter  =  1 * * * *

/sbin/sysctl -w net.ipv4.conf.lo.rp_filter=1

/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=1

/sbin/sysctl -w net.ipv4.conf.eth1.rp_filter=1

/sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 >/dev/null 2>&1

/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 >/dev/null 2>&1

/sbin/sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1

 

# * * * * NAT Rules * * * *

 

#lo Name:Interface lo/lo/lo 0.0.0.0 [403]

#             lo: act_as_lan = 0

#             lo: Allow proxy ports for 192.168.1.0/24

# lo: final services = 2

interface4 lo lo 

                policy accept

#             lo: 0 clients rule(s) ( accept all services )[681]

                client any accept

                client any accept

                server squidports accept src 192.168.1.0/24

                server ssh accept

 

#eth0 Name:Interface eth0/eth0/eth0 192.168.1.1 [403]

#             eth0: act_as_lan = 0

#             eth0: Allow proxy ports for 192.168.1.0/24

# eth0: final services = 3

interface4 eth0 eth0 

                policy accept

#             eth0: 0 clients rule(s) ( accept all services )[681]

                client any accept

                client any accept

                server squidports accept src 192.168.1.0/24

                server unifi accept

                server ssh accept

 

#eth1 Name:Interface eth1/eth1/eth1 10.10.1.1 [403]

#             eth1: act_as_lan = 0

#             eth1: Allow proxy ports for 192.168.1.0/24

# eth1: final services = 3

 

interface4 eth1 eth1 

                policy reject

#             eth1: 0 clients rule(s) ( accept all services )[681]

#             eth1: accept local -> necessaries Internet protocols
BUILD_INTERFACE_CLIENT/690

                client dns accept

                client https accept

                client http accept

                client ftp accept

                client ntp accept

                client rsync accept

                server squidports accept src 192.168.1.0/24

                server unifi accept

                server ssh accept

 

 

# pnic_bridges: eth02eth1; Artica allowed=0;FireHoleLogAllEvents=0

router4 eth02eth1 inface eth0 outface eth1

                masquerade

                server dhcp deny

                route any accept

                client any accept

                server http accept

 

# * * * * * * ROUTERS FOR ALL INTERFACES * * * * * *

 

router4 lo2lo inface lo outface lo

                route any accept

                client any accept

                policy accept

 

 

# Router For interface eth0 # # # # # # # # # # # # # # # #

router4 eth02eth0 inface eth0 outface eth0

#             DHCP disabled

                route any accept

                client any accept

                policy accept

 

 

# Router For interface eth1 # # # # # # # # # # # # # # # #

router4 eth12eth1 inface eth1 outface eth1

#             DHCP disabled

route any accept

                client any accept

                policy accept

****************************************************************************
************

                




More information about the Firehol-support mailing list