Hello! I've installed firehol and I'm using the standard configuration. /etc/firehol/firehol.conf: version 5 # Accept all client traffic on any interface interface any world client all accept Every time when I'm going to start firehol I get the following error message: ERROR : # 1. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_all_c1 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 2. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_world_all_c1 -m state '' --state ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 3. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A out_world_irc_c2 -p tcp --sport 32768:61000 --dport 6667 -m state '' --state NEW\,ESTABLISHED -j ACCEPT OUTPUT : -------------------------------------------------------------------------------- ERROR : # 4. WHAT : A runtime command failed to execute (returned error 2). SOURCE : line 17 of /etc/firehol/firehol.conf COMMAND : /sbin/iptables -t filter -A in_world_irc_c2 -p tcp --sport 6667 --dport 32768:61000 -m state '' --state ESTABLISHED -j ACCEPT OUTPUT : (it's a long list... but the messages are still the same) I think that the problem lies with the bash version (4.x). emerge --info: Portage 2.1.8.3 (default/linux/x86/10.0/desktop, gcc-4.4.3, glibc-2.11-r1, 2.6.34-rc2 i686) ================================================================= System uname: Linux-2.6.34-rc2-i686-Intel-R-_Atom-TM-_CPU_N270_@_1.60GHz-with-gentoo-2.0.1 Timestamp of tree: Mon, 22 Mar 2010 17:45:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.1_p2 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4-r1 dev-util/cmake: 2.8.0-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1 sys-devel/gcc: 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=core2 -mtune=generic -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=core2 -mtune=generic -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://gentoo.inode.at/source/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ http://ftp6.uni-erlangen.de/pub/mirrors/gentoo " LDFLAGS="-Wl,-O1" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa arts bash-completion berkdb branding bzip2 cairo cdparanoia cdr cli consolekit cracklib crypt cups cxx dbus dmx dri dts dvd dvdr emboss emerald encode evo faac faad fam fat ffmpeg firefox flac fortran freetype fts3 fuse gdbm gif gnutls gpm gstreamer gtk hal hfs iconv ipv6 java javascript jfs jpeg lame ldap libnotify lock mad mdnsresponder-compat mikmod mmx mng modules mozilla mp3 mp4 mpeg mplayer mudflap ncurses nls nptl nptlonly ntfs ogg oggvorbis opengl openmp pam pcre pdf perl png ppds pppd python qt3support quicktime readline reflection scanner sdl session snmp sockets spell spl sqlite sqlite3 sse sse2 ssl startup-notification subversion svg sysfs tcpd theora tiff truetype unicode unsupported usb video vnc vorbis win32codecs x264 x86 xfs xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS So if anybody got a patch for this, please attach it! Thank you! Kind regards, Phil Reproducible: Always Steps to Reproduce: 1. emerge net-firewall/firehol 2. use the standard configuration 3. Open terminal (root) and run "/etc/init.d/firehol start" Actual Results: Lots of error messages. Expected Results: Run correctly.
The problem is not with bash, the problem is that you need extra kernel options enabled. With the default firehol config you need the following built in: CONFIG_NETFILTER_XT_MATCH_LIMIT CONFIG_NETFILTER_XT_MATCH_STATE Also to prevent the warnings when starting these two need to be enabled as modules (you will still get the warning if they are built-in): CONFIG_NF_NAT_FTP CONFIG_NF_NAT_IRC These are all found in: Networking support | Networking options | Network packet filtering framework (Netfilter) | Core Netfilter Configuration So the bug here is that the check in the ebuild for the kernel options should also include these ones.
Firehol also needs CONFIG_NETFILTER_XT_MATCH_OWNER for some firewalls, specifically when forwarding web requests to squid transparently.
+*firehol-1.273-r2 (02 Apr 2012) + + 02 Apr 2012; Pacho Ramos <pacho@gentoo.org> + +files/firehol-1.273-log-output.patch, +firehol-1.273-r2.ebuild: + Add missing kernel checks (#310797 by Phil Koenig, Tom Knight, Tyler + Montbriand), use static and fixed RESERVED_IPS file (#332135 by Richard Gray), + handle errors better (#332507 by Tyler Montbriand). +
