Hello All!,
I'm a new user of firehol and i faced a little problem as i cannot connect to my work vpn server from my home lan!

My configuration is :
raspberry pi configured as router with 3 interfaces. eth0 (my local internal lan) wlan0 (my wireless lan ) and eth1 (my internet gw)

eth0 is connected on a switch and eth1 is connected back to back with my ISP modem. For the routing i use "firehol" and as i try to find the problem i have open everything but i still cannot find any solution.

my firehol conf is :

#====================================================
#MASQUERADE
masquerade "eth1"

# INTERFACE FOR INTERNAL NETWORK

interface "eth0" LAN
server all accept
client all accept

#====================================================

# INTERFACE FOR INTERNET

interface "eth1" INET
server all accept
client all accept

#===================================================

# INTERFACE FOR WIFI

interface "wlan0" WLAN
server all accept
client all accept


#ROUTING RULES
router LAN2INET inface "eth0" outface "eth1"
server all accept
client all accept


router WLAN2INET inface "wlan0" outface "eth1"
server all accept
client all accept

router LAN2WLAN inface "eth0" outface "wlan0"
server all accept
client all accept



The firehol logs look like this:

Feb 28 23:23:49 RouterPi kernel: [89944.202440] 'firehol: PASS-unknown:'IN=wlan0 OUT=eth1 MAC=48:5d:60:1f:93:17:00:24:2b:0f:ce:e8:08:00 SRC=192.168.11.151 DST=83.235.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=8993 PROTO=47
Feb 28 23:23:52 RouterPi kernel: [89947.202723] 'firehol: PASS-unknown:'IN=wlan0 OUT=eth1 MAC=48:5d:60:1f:93:17:00:24:2b:0f:ce:e8:08:00 SRC=192.168.11.151 DST=83.235.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=8996 PROTO=47
Feb 28 23:23:56 RouterPi kernel: [89951.203041] 'firehol: PASS-unknown:'IN=wlan0 OUT=eth1 MAC=48:5d:60:1f:93:17:00:24:2b:0f:ce:e8:08:00 SRC=192.168.11.151 DST=83.235.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=9000 PROTO=47
Feb 28 23:23:56 RouterPi kernel: [89951.325564] 'firehol: PASS-unknown:'IN=wlan0 OUT=eth1 MAC=48:5d:60:1f:93:17:00:24:2b:0f:ce:e8:08:00 SRC=192.168.11.151 DST=83.235.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9002 PROTO=47
Feb 28 23:24:00 RouterPi kernel: [89955.200442] 'firehol: PASS-unknown:'IN=wlan0 OUT=eth1 MAC=48:5d:60:1f:93:17:00:24:2b:0f:ce:e8:08:00 SRC=192.168.11.151 DST=83.235.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9007 PROTO=47

Please can anyone help with this??
thank you!

Hi

The problem is that to FireHOL, "all" means anything that the connection tracker sees as NEW/ESTABLISHED/RELATED. From your logs your VPN use GRE, protocol 47 which I guess the connection tracker does not handle (it mostly does tcp/udp).

Try setting up a rule with service "any" or "anystateless" for protocol 57, see the online documentation. Unfortunately I cannot post a link as I have only just joined LinuxQuestions.

Hope that helps, if not, can I suggest you may encounter people who know more about this on the FireHOL mailing list... again I cannot link but it should be easy enough to find.

Kind Regards
Phil

Thank you for your help ! But finally i managed to connect to the vpn through firehol. The tricky point was the the firehol does not activate all service ports by "server all accept, or client all accept) thats why i could not connect and firehol blocked me. by default the "pptp service port not include to the sum of services defined by "all" so i have to add the line


ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} pptp"



in the begging of the firehol.conf. thats it!