Package: firehol Version: 1.256-4 Severity: important Hello,
Since an upgrade from linux-image-2.6.26-1-686 2.6.26-8 to 2.6.26-9, when Firehol is activated, I cannot connect to an OpenVPN network anymore. Here is what says syslog when I launch Openvpn, Firehol started: Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Control Channel Authentication: using 'user/my.key' as a OpenVPN static key file Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Control Channel MTU parms [ L:1591 D:168 EF:68 EB:0 ET:0 EL:0 ] Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ] Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Local Options hash (VER=V4): 'b8d42479' Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Expected Remote Options hash (VER=V4): '173d8fc4' Oct 19 15:42:30 baudelaire ovpn-myvpn[11764]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Oct 19 15:42:30 baudelaire ovpn-myvpn[11764]: Attempting to establish TCP connection with 42.42.42.42:7777 [nonblock] Oct 19 15:42:33 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused Oct 19 15:42:41 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused Oct 19 15:42:49 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused My firehol.conf is simple and looks like this: ---- begin of firehol.conf ---- version 5 FIREHOL_LOG_MODE=ULOG interface eth0 interface_eth0 ## Doesn't work even if this two lines are commented. protection strong policy reject server icmp accept client all accept interface tap0 myvpn ## Doesn't work even if this two lines are commented. protection strong policy reject server icmp accep client all accept ---- end of firehol.conf ---- Here is the output of iptables -L: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere in_interface_eth0 all -- anywhere anywhere in_myvpn all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'IN-unknown:'' queue_threshold 1 DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'PASS-unknown:'' queue_threshold 1 DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere out_interface_eth0 all -- anywhere anywhere out_myvpn all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'OUT-unknown:'' queue_threshold 1 DROP all -- anywhere anywhere Chain in_myvpn (1 references) target prot opt source destination in_myvpn_icmp_s1 all -- anywhere anywhere in_myvpn_all_c2 all -- anywhere anywhere in_myvpn_irc_c3 all -- anywhere anywhere in_myvpn_ftp_c4 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''IN-myvpn':'' queue_threshold 1 DROP all -- anywhere anywhere Chain in_myvpn_all_c2 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED Chain in_myvpn_ftp_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED Chain in_myvpn_icmp_s1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED Chain in_myvpn_irc_c3 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED Chain in_interface_eth0 (1 references) target prot opt source destination in_interface_eth0_icmp_s1 all -- anywhere anywhere in_interface_eth0_all_c2 all -- anywhere anywhere in_interface_eth0_irc_c3 all -- anywhere anywhere in_interface_eth0_ftp_c4 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''IN-interface_eth0':'' queue_threshold 1 DROP all -- anywhere anywhere Chain in_interface_eth0_all_c2 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED Chain in_interface_eth0_ftp_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED Chain in_interface_eth0_icmp_s1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED Chain in_interface_eth0_irc_c3 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED Chain out_myvpn (1 references) target prot opt source destination out_myvpn_icmp_s1 all -- anywhere anywhere out_myvpn_all_c2 all -- anywhere anywhere out_myvpn_irc_c3 all -- anywhere anywhere out_myvpn_ftp_c4 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''OUT-myvpn':'' queue_threshold 1 DROP all -- anywhere anywhere Chain out_myvpn_all_c2 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED Chain out_myvpn_ftp_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED Chain out_myvpn_icmp_s1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state ESTABLISHED Chain out_myvpn_irc_c3 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED Chain out_interface_eth0 (1 references) target prot opt source destination out_interface_eth0_icmp_s1 all -- anywhere anywhere out_interface_eth0_all_c2 all -- anywhere anywhere out_interface_eth0_irc_c3 all -- anywhere anywhere out_interface_eth0_ftp_c4 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''OUT-interface_eth0':'' queue_threshold 1 DROP all -- anywhere anywhere Chain out_interface_eth0_all_c2 (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED Chain out_interface_eth0_ftp_c4 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED Chain out_interface_eth0_icmp_s1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state ESTABLISHED Chain out_interface_eth0_irc_c3 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED Sorry for my bad english. :-) -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages firehol depends on: ii bash 3.2-4 The GNU Bourne Again SHell ii iproute 20080725-2 networking and traffic control too ii iptables 1.4.1.1-4 administration tools for packet fi ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii net-tools 1.60-21 The NET-3 networking toolkit Versions of packages firehol recommends: pn aggregate <none> (no description available) ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or ii module-init-tools 3.4-1 tools for managing Linux kernel mo ii wget 1.11.4-2 retrieves files from the web firehol suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]