firehol-1.250 fails to start with kernel 2.6.20 producing a lot of errors like the following (iptables module and firehol.conf settings are the same as for kernel 2.6.19): -------------------------------------------------------------------------------- ERROR : # 181. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 170 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_interface4_smtp_s7 -p tcp --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 182. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 170 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_interface4_smtp_s7 -p tcp --sport 25 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 183. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 171 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_interface4_ssh_s8 -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 184. WHAT : A runtime command failed to execute (returned error 1). SOURCE : line 171 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_interface4_ssh_s8 -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT OUTPUT : Reproducible: Always
I'm still maintaining firehol.
I fear that this is outside of firehol as it is just a shell script that calls other applications, in this case iptables. Can you please provide your firehol.conf, maybe anynomized to avoid giving away any of your ip-details.
Created attachment 110916 [details] firehol.conf as requested
Comment on attachment 110916 [details] firehol.conf as requested As I'm definitely not an expert I used the automatic configuration tool (helpme) to produce a firehol.conf which was sufficient for my purpose. I run iptables-1.3.7
I am trying to tackle this issue for a few days now, unfortunately I am not a real expert in iptables (that's the reason why I choose firehol in the first place: to not have to play around with iptables). I see the following: # firehol stop gzcat: /proc/config.gz already has .gz suffix -- unchanged FireHOL: Clearing Firewall: OK # /sbin/iptables -N out_world # /sbin/iptables -A OUTPUT -j out_world # /sbin/iptables -A out_world -m state --state RELATED -j ACCEPT iptables: No chain/target/match by that name Can anybody with more iptables knowledge comment on this? Shouldn't this work, as I am creating a CHAIN, linking it to OUTPUT and then add a rule to the chains? Could it be that we are missing something in the kernel-configuration? Wouldn't this indicate a problem with iptables?
(In reply to comment #5) Sorry that I cannot help you as I also don't know anything about iptables, however, is this problem interrelated to bug #166201 ?
I upgraded to kernel gentoo-sources-2.6.20-r2, now it seems to work better. Can you please retry with this version? And can you also try to make your fireohl.conf file smaller, I have trouble testing with your file as I don't use vmware here and I also don't have multiple subnets. Please remove as much as possible where you still get the error so we can narrow this down a bit.
(In reply to comment #7) With gentoo-sources-2.6.20-r2 firehol starts without any problems. I can use my old firehol.conf without modifications. Sorry that I didn't upgrade earlier.
no problem, I was hit by the same problem. Don't know what was fixed in the sources to get rid of this, though. Closing this WORKSFORME now as I didn't need to fix anything in firehol.