Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172000 - net-firewall/firehol-1.250 requires specific kernel CONFIG's + wrong bash patch
Summary: net-firewall/firehol-1.250 requires specific kernel CONFIG's + wrong bash patch
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Dominik Stadler (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-24 03:18 UTC by Jeff Kowalczyk
Modified: 2007-11-05 17:55 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Concatenated output that would not fit in comment fields. (erroroutputemergeinfolsmod.txt,21.44 KB, text/plain)
2007-03-24 03:21 UTC, Jeff Kowalczyk 		Details
Anonymized firehol.conf of machine exhibiting bug (firehol.conf,482 bytes, text/plain)
2007-03-25 20:21 UTC, Jeff Kowalczyk 		Details
firehol-nonworking intel server config (kernel-config-x86-2.6.20-gentoo-r4,40.08 KB, text/plain)
2007-03-29 22:27 UTC, Jeff Kowalczyk 		Details
diff to add CONFIGs to get firehol working (netfilterconfigs.diff,3.30 KB, patch)
2007-04-24 21:03 UTC, Jeff Kowalczyk 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2007-03-24 03:18:03 UTC 
firehol-1.250 does not start with bash-3.2.

Reproducible: Always

Steps to Reproduce:
app-shells/bash-3.2_p15  USE="nls -afs -bashlogger -vanilla" 0 kB 
net-firewall/firehol-1.250  0 kB 
net-firewall/iptables-1.3.7  USE="-extensions -imq -ipv6 -l7filter -static" 0 kB 


Actual Results:  
# /etc/init.d/firehol restart
 * Restarting Firewall ...
 * WARNING:  firehol has not yet been started.
 * Starting FireHOL ...

--------------------------------------------------------------------------------
WARNING : This might or might not affect the operation of your firewall.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/modprobe ip_conntrack -q 
OUTPUT  : 

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 13 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_webmin_s1 -p tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT 
OUTPUT  : 

--------------------------------------------------------------------------------
ERROR   : # 2.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 13 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_world_webmin_s1 -p tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
OUTPUT  : 

(...)

Expected Results:  
start firehol
Comment 1 Jeff Kowalczyk 2007-03-24 03:19:50 UTC 
(new bug report comment-length limits are too restrictive...)
Comment 2 Jeff Kowalczyk 2007-03-24 03:21:04 UTC 
Created attachment 114201 [details]
Concatenated output that would not fit in comment fields.
Comment 3 Jeff Kowalczyk 2007-03-24 15:18:39 UTC 
I now think this isn't a bash issue, as with previous firehol bugs. Is it possible that the ip_conntrack modules have changed names with recent kernels?

(kernel config when this bug was opened)
# grep CONN /etc/kernels/kernel-config-x86-2.6.20-gentoo-r3old 
# CONFIG_NF_CONNTRACK_ENABLED is not set
# CONFIG_CONNECTOR is not set

(rebuilt kernel with ip_conntrack support)
# grep CONN /etc/kernels/kernel-config-x86-2.6.20-gentoo-r3
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=m
# CONFIG_NF_CONNTRACK_MARK is not set
# CONFIG_NF_CONNTRACK_SECMARK is not set
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
# CONFIG_NF_CONNTRACK_FTP is not set
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_CONNTRACK_IPV6 is not set
# CONFIG_CONNECTOR is not set

(running modules)
# lsmod | grep con
nf_conntrack_ipv4      14732  0 
nf_conntrack           34952  1 nf_conntrack_ipv4

did the module used to be called ip_conntrack?
Comment 4 Dominik Stadler (RETIRED) gentoo-dev 2007-03-25 15:38:24 UTC 
I think this is similar to bug 167352, it seems some things were moved around and renamed in kernel 2.6.20. Does it work if you recompile your kernel with more of these new options enabled?
Comment 5 Dominik Stadler (RETIRED) gentoo-dev 2007-03-25 15:43:00 UTC 
Sorry, I didn't look close enough on the report, the modprobe ip_conntrack already fails. 

Can you post your (anonymized) firehol-conf so I can try if it works on other machines.
Comment 6 Jeff Kowalczyk 2007-03-25 20:21:04 UTC 
Created attachment 114410 [details]
Anonymized firehol.conf of machine exhibiting bug

The firehol.conf, has not changed in several years, so I don't think it's a mistaken syntax. My other servers using only slight variations on the attached firehol.conf all exhibit the bug at this time.
Comment 7 Dominik Stadler (RETIRED) gentoo-dev 2007-03-28 07:48:15 UTC 
I don't think your config or firehol are broken here. I rather think the kernel did change in some ways in 2.6.20 which breaks some things in firehol. 

In my current setup, your configuration works fine:

 # firehol /export/home/dstadler/tmp/firehol.conf.bug start
gzcat: /proc/config.gz already has .gz suffix -- unchanged
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file /export/home/dstadler/tmp/firehol.conf.bug: OK
FireHOL: Activating new firewall (85 rules): OK

Can you try to set similar kernel-options as to what I have. I couldn't find out which ones I actually need, but enabling all these did give me a working firehol again:

# grep _NF_ /etc/kernels/kernel-config-x86-2.6.20-gentoo-r2
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
Comment 8 Jeff Kowalczyk 2007-03-29 22:22:53 UTC 
I'm not able to start firehol with config that is nearly _NF_-identical to yours. The missing modules must be in another area of your kernel config. Mine will be attached. 

# grep -e '_NF_\|NETFILTER_\_IP_' kernel-config-x86-2.6.20-gentoo-r4 
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=m
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

# diff -u centric mine
--- sample      2007-03-29 17:51:40.000000000 -0400
+++ actual      2007-03-29 17:51:14.000000000 -0400
@@ -15,10 +15,11 @@
 CONFIG_NF_CONNTRACK_PPTP=m
 CONFIG_NF_CONNTRACK_SIP=m
 CONFIG_NF_CONNTRACK_TFTP=m
+# CONFIG_NF_CT_NETLINK is not set
 CONFIG_NF_CONNTRACK_IPV4=m
 CONFIG_NF_CONNTRACK_PROC_COMPAT=y
 CONFIG_IP_NF_QUEUE=m
-CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_IPTABLES=m
 CONFIG_IP_NF_MATCH_IPRANGE=m
 CONFIG_IP_NF_MATCH_TOS=m
 CONFIG_IP_NF_MATCH_RECENT=m
@@ -27,9 +28,9 @@
 CONFIG_IP_NF_MATCH_TTL=m
 CONFIG_IP_NF_MATCH_OWNER=m
 CONFIG_IP_NF_MATCH_ADDRTYPE=m
-CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_FILTER=m
 CONFIG_IP_NF_TARGET_REJECT=m
-CONFIG_IP_NF_TARGET_LOG=y
+CONFIG_IP_NF_TARGET_LOG=m
 CONFIG_IP_NF_TARGET_ULOG=m
 CONFIG_IP_NF_TARGET_TCPMSS=m
 CONFIG_NF_NAT=m
Comment 9 Jeff Kowalczyk 2007-03-29 22:27:14 UTC 
Created attachment 114893 [details]
firehol-nonworking intel server config

This config does not work with firehol.
Comment 10 Jeff Kowalczyk 2007-03-29 22:28:30 UTC 
# lsmod
Module                  Size  Used by
nf_conntrack_ftp        9472  0 
nf_conntrack_irc        7192  0 
xt_tcpudp               3328  0 
nf_conntrack_ipv4      16268  0 
nf_conntrack           54872  3 nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_ipv4
iptable_filter          3200  0 
ip_tables              11592  1 iptable_filter
x_tables               14340  2 xt_tcpudp,ip_tables
rtc                     8464  0 
nvidiafb               42652  0 
i2c_algo_bit            7432  1 nvidiafb
8139too                24448  0 
mii                     5504  1 8139too
i2c_i801                7564  0 
i2c_core               20624  3 nvidiafb,i2c_algo_bit,i2c_i801
intel_agp              22684  1 
agpgart                29904  1 intel_agp
scsi_wait_scan          1536  0 
sl811_hcd              11008  0 
usbhid                 22240  0 
ohci_hcd               18052  0 
uhci_hcd               21004  0 
usb_storage            34180  0 
scsi_mod               91400  2 scsi_wait_scan,usb_storage
ehci_hcd               26124  0 
usbcore               114840  7 sl811_hcd,usbhid,ohci_hcd,uhci_hcd,usb_storage,ehci_hcd
Comment 11 Jeff Kowalczyk 2007-03-29 22:37:10 UTC 
# /etc/init.d/firehol restart
* Restarting Firewall ...
* WARNING:  firehol has not yet been started.
* Starting FireHOL ...

Error # 1, 2, etc...
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 13 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_world_webmin_s1 -p tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_webmin_s1 -p tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p tcp -s 1.2.3.4 --sport 1024:65535 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p tcp -s 4.3.2.1 --sport 1024:65535 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p tcp --sport 3632 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p tcp --sport 3632 -d 4.3.2.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p tcp -s 1.2.3.4 --sport 3632 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p tcp -s 4.3.2.1 --sport 3632 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p tcp --sport 3632 -d 1.2.3.4 --dport 3632 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p tcp --sport 3632 -d 4.3.2.1 --dport 3632 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p udp -s 1.2.3.4 --sport 1024:65535 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p udp -s 4.3.2.1 --sport 1024:65535 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p udp --sport 3632 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p udp --sport 3632 -d 4.3.2.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p udp -s 1.2.3.4 --sport 3632 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_distcc_s2 -p udp -s 4.3.2.1 --sport 3632 --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p udp --sport 3632 -d 1.2.3.4 --dport 3632 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_distcc_s2 -p udp --sport 3632 -d 4.3.2.1 --dport 3632 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_http_s3 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_http_s3 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_https_s4 -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_https_s4 -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_pop3_s5 -p tcp --sport 1024:65535 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_pop3_s5 -p tcp --sport 110 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_pop3s_s6 -p tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_pop3s_s6 -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_imap_s7 -p tcp --sport 1024:65535 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_imap_s7 -p tcp --sport 143 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_imaps_s8 -p tcp --sport 1024:65535 --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_imaps_s8 -p tcp --sport 993 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_ssh_s9 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_ssh_s9 -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_all_c10 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_all_c10 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_irc_c11 -p tcp --sport 2048:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_irc_c11 -p tcp --sport 6667 --dport 2048:4999 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_ftp_c12 -p tcp --sport 2048:4999 --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_ftp_c12 -p tcp --sport ftp --dport 2048:4999 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_ftp_c12 -p tcp --sport ftp-data --dport 2048:4999 -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_ftp_c12 -p tcp --sport 2048:4999 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world_ftp_c12 -p tcp --sport 2048:4999 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world_ftp_c12 -p tcp --sport 1024:65535 --dport 2048:4999 -m state --state ESTABLISHED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world -m state --state RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A out_world -m state --state RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A in_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-world:

COMMAND : /sbin/iptables -t filter -A out_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-world:

COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT

COMMAND : /sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:

COMMAND : /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:

COMMAND : /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
Comment 12 Jeff Kowalczyk 2007-04-24 21:01:07 UTC 
I got firehol working on 2.6.20-r6 by enabling everything under CONFIG_NETFILTER_XT_[TARGET|MATCH]_* and CONFIG_NF_CT_NETLINK.

If a comprehensive list of kernel CONFIGs required or optionally used by firehol can be obtained, the ebuild should check at configure time, as demonstrated in media-tv/ivtv-0.10.1-r1, which inherits from eclass linux-mod. Perhaps firehol should too, since it its runtime behaviour is directly tied to the presence of specific modules or compiled-in support.

This bug can be closed pending documentation (I've asked on the firehol list) and or configure-time CONFIG checks.
Comment 13 Jeff Kowalczyk 2007-04-24 21:03:50 UTC 
Created attachment 117180 [details, diff]
diff to add CONFIGs to get firehol working

This shows the specific missing CONFIGs that caused the behavior described in the bug. Diff against (something similar to) attachment: firehol-nonworking intel server config
Comment 14 Mike Nerone 2007-05-01 01:40:21 UTC 
Just to help out, yes, this is related to a kernel change (in 2.6.20 I believe). An alternative to the old IP_NF_* conntrack system was implemented, and is now Layer-3 independant. In the kernel config, you can still choose the old method, but the default is to use the new one, which has all the changed names (no "IP_" in them anymore).

You can specify the old way at the following location in the kernel config:

Networking->Networking Options->Network packet filtering framework->Netfilter connection tracking support

If you choose the old one ("Layer 3 Dependent Connection tracking"), my guess is that firehol will work without complaint, but I haven't tested that.

Note: at least for me, though firehol complains with the new names, it does indeed work as long as you have all of the conntrack stuff compiled into the kernel instead of using loadable modules.
Comment 15 Costa Tsaousis 2007-06-08 12:01:56 UTC 
Hi,

FireHOL v1.256 works with BASH 3.2 and kernels 2.6.20+.

Regarding kernel configuration, since various services of FireHOL may require different kernel modules, it is advised that the kernel should either have all iptables modules compiled build-in or as modules (modules are preferred). This simple rule will allow FireHOL to run without issues.

Keep in mind, that the v1.256 ebuild patches FireHOL changing a few printf statements to make it BASH 3.2 compatible. This is wrong (was a wrong approach from the beginning), will break FireHOL in certain cases, and is no longer needed (since FireHOL v1.256 is BASH 3.2 friendly).

Finally, FireHOL v1.256 is stable and all users should be advised to upgrade to this version.

Regards,

Costa Tsaousis
Comment 16 Jakub Moc (RETIRED) gentoo-dev 2007-10-10 16:57:47 UTC 
Zero response from maintainer; re-assigning.
Comment 17 Dominik Stadler (RETIRED) gentoo-dev 2007-10-27 21:22:14 UTC 
I am still trying to maintain firehol, although I was busy with other things lately. 

Costa, do you have a list of kernel-config options that we could check? I am experimenting with the CONFIG_CHECK functionality in the ebuild, but am not sure which ones we should check.
Comment 18 Costa Tsaousis 2007-10-27 23:31:39 UTC 
As I said, all of netfilter should be present.

These are required to at least use the very basics of firehol (2.6.22-gentoo-r8):

NF_CONNTRACK_ENABLED
NF_CONNTRACK_IPV4
NF_CONNTRACK_MARK
IP_NF_IPTABLES
IP_NF_FILTER
IP_NF_TARGET_REJECT
IP_NF_TARGET_LOG
IP_NF_TARGET_ULOG
NF_NAT
IP_NF_TARGET_MASQUERADE
IP_NF_TARGET_REDIRECT
IP_NF_MANGLE

Firehol will complain if a feature used in the config is not present in the kernel.

Users should be adviced to have all of netfilter compiled as modules.

Costa
Comment 19 Dominik Stadler (RETIRED) gentoo-dev 2007-11-05 14:10:01 UTC 
I have now added version 2.256-r1 which adds a check for the minimum required kernel parameters. It currently only prints out a warning, we can make this an error in the future if this works out.

Please report new bugs for other parameters that should be checked as well.
Comment 20 Dominik Stadler (RETIRED) gentoo-dev 2007-11-05 14:11:24 UTC 
Typo, new version is 1.256-r1 ...
Comment 21 Matthias M Weber 2007-11-05 17:55:34 UTC 
(In reply to comment #20)
> Typo, new version is 1.256-r1 ...
> 

Installation of firehol-1.256-r1 failed on my system with the following error report:

>>> Install firehol-1.256-r1 into /data/portage/net-firewall/firehol-1.256-r1/image/ category net-firewall
/usr/lib64/portage/bin/newconfd: Need two arguments, old file and new file
 * 
 * ERROR: net-firewall/firehol-1.256-r1 failed.
 * Call stack:
 *                 ebuild.sh, line 1696:  Called dyn_install
 *                 ebuild.sh, line 1133:  Called qa_call 'src_install'
 *                 ebuild.sh, line   44:  Called src_install
 *   firehol-1.256-r1.ebuild, line   64:  Called die
 * The specific snippet of code:
 *      newconfd "${FILESDIR}/firehol.conf.d firehol" || die
 *  The die message:
 *   (no error message)
 *