With "group with dst" in the config file, it generates rules such as: -A in_public -d $ip -j in_group1 -A out_public -s $ip -j out_group2 This makes it check only the source IP for outgoing and the destination for incoming, but using the IP of the requested destination. The result is that no packets may go through for this case. Reproducible: Always Steps to Reproduce: Upstream bug submitted at http://sourceforge.net/tracker/index.php?func=detail&aid=1685505&group_id=58425&atid=487692
Created attachment 114011 [details, diff] check "group with" direction to create correct firewall rules
This is fixed in 1.250-r1 which will be available on the mirrors soon.
Please note at upstream bug submission URL in comment #1 that the author does not believe this to be a bug.
This patch broke "group with". Example (output captured from "firehol debug", with IPs changed to protect the innocent, or even me): firehol-1.250, CORRECT: # === CONFIGURATION STATEMENT ================================================= # CONF:INIT>>> group with dst 1.2.3.4 # INFO>>> Starting new group No 1, under 'main' # INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter' /sbin/iptables -t filter -N in_group1 /sbin/iptables -t filter -A in_main -d 1.2.3.4 -j in_group1 # INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter' /sbin/iptables -t filter -N out_group1 /sbin/iptables -t filter -A out_main -s 1.2.3.4 -j out_group1 firehol-1.250-r1, BROKEN: # === CONFIGURATION STATEMENT ================================================= # CONF:INIT>>> group with dst 1.2.3.4 # INFO>>> Starting new group No 1, under 'main' # INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter' /sbin/iptables -t filter -N in_group1 /sbin/iptables -t filter -A in_main -s 1.2.3.4 -j in_group1 # INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter' /sbin/iptables -t filter -N out_group1 /sbin/iptables -t filter -A out_main -d 1.2.3.4 -j out_group1 Consider the input side for the moment: as you can see, when clearly using "group with" to to apply only to a *destination* of 1.2.3.4 (this box has multiple IPs and this group is for services I want only accessible on 1.2.3.4), firehol-1.250-r1 generates an input rule with "-s 1.2.3.4", checking only the source address. The mirror mistake is made on the output side. firehol-1.250 did it correctly. This mistake ended up cutting off all access to my server.
BTW, at the upstream bug report (http://sourceforge.net/tracker/index.php?func=detail&aid=1685505&group_id=58425&atid=487692), the author clearly explains why this "bug" is a result of a fundamental misunderstanding by the user, and is not a bug at all.
FYI, see Bug 176862 for the issue with this patch.