# firehol errors

## subterfuge

I've searched around but can't find a solution to my problem. When I do "firehol start" I get this:

```

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

FireHOL: Activating new firewall:

WARNING: This might or might not affect the operation of your firewall.

WHAT: A runtime command failed to execute (returned error 1).

SOURCE: line INIT of /etc/firehol/firehol.conf

COMMAND: /sbin/modprobe ip_tables

OUTPUT: 

FATAL: Error inserting ip_tables (/lib/modules/2.6.0-gentoo/kernel/net/ipv4/netfilter/ip_tables.ko): Device or resource busy

WARNING: This might or might not affect the operation of your firewall

WHAT: A runtime command failed to execute (returned error 1).

SOURCE: line INIT of /etc/firehol/firehol.conf

COMMAND: /sbin/modprobe ip_contrack

OUTPUT:

FATAL: Module ip_conntrack not found

OK

```

I'd really appreciate any suggestions as this seems to be the last step to getting this router/firewall/WAP working.

----------

## scout

This software apparently like to have the iptables things compiled as modules in the kernel

----------

## subterfuge

That's the thing, though. Every other thread said make sure so and so kernel option is compiled as a module, and I've done that for pretty much every one of them. I looked and I have "ip_conntrack" compiled as a module, so I don't really know what's going on...  :Confused: 

----------

## subterfuge

Since I need to get this thing up and running now, can anyone suggest alternative firewall/routing software? I tried shorewall, which didn't work. I'm not running X, and the setup is this:

Internet----->eth0----->eth1 to internal network

                      |

                       ----->ath0 to wireless network

I'm keeping both of these interfaces separate and want to eventually use IPsec for the wireless network. So, any suggestions that are easy to setup? Ideally, a plain IPtables script would be best, but I haven't found one for three interfaces, and at the moment don't have time to learn IPtables.

----------

## subterfuge

Ok, maybe an IPtables script is the way to go...

Is anyone here running a similar setup and would be willing to share theirs? Can anyone point me to a resource with premade scripts?

----------

## scout

Hey, I just looked at firehol and it's great !! I read the doc entirely and the trick is to put FIREHOL_LOAD_KERNEL_MODULES=0 in the configuration.

Before I used an iptables script, a really good and clean one: the one of gentoo's security doc. But this firehol just makes small configuration files and seems great. I does everything I want and doesn't weight 2 Mb like shorewall.

Using iptables directly is nice cause you can configure everything clearly, but the scripts are too huge if you want something precise and when you have to modify something you have to scroll pages up and down to modofy things everywhere.

----------

## subterfuge

By "the configuration", do you mean /etc/firehol/firehol.conf?

----------

## scout

yes, but I just saw this only works in the latest version of firehol, so you can just like me put net-firewall/firehol    ~x86 at the end of your /etc/portage/package.mask and emerge -u firehol so that you have version 1.159

----------

## subterfuge

Thanks for the help. I emerged the new version and added the config line and the firewall now activates correctly. I'll report back when the whole thing gets tested and say whether or not it works as planned.

----------

## scout

 *scout wrote:*   

> you can just like me put net-firewall/firehol    ~x86 at the end of your /etc/portage/package.mask

  err ... I meant package.keywords ...

----------

## fideli

hey there,

i'm having a similar error.

/etc/firehol/firehol.conf:

```

version 5

interface eth0 sis900 src "192.168.2.0/24"

        policy reject

        server "icmp samba" accept

        client all accept

```

but when i run it:

```

firehol # firehol start

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

head: `-1' option is obsolete; use `-n 1' since this will be removed in the future

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

FireHOL: Activating new firewall:iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 1.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_icmp_s1 -p icmp -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 2.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_icmp_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 3.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 4.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 5.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 6.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 7.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 8.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 9.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 10.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 11.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_samba_s2 -p tcp --sport 1024:65535 --dport netbios-ssn -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 12.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 6 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_samba_s2 -p tcp --sport netbios-ssn --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 13.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_all_c3 -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 14.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_all_c3 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 15.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_irc_c4 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 16.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_irc_c4 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 17.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 18.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 19.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 20.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 21.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 22.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 8 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 23.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 24.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 25.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 26.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 27.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

 FAILED

FireHOL: Restoring old firewall: OK

firehol #

```

anyone know what the problem is?

----------

## fideli

it's as if it's not creating the tables that it wants to use.  however, it can't even load the default tables built in, such as FORWARD, OUTPUT, etc.  i wonder what it is?  does anyone have a clue?

----------

## fideli

here's the output of firehol debug:

```

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

#!/bin/sh

load_kernel_module ip_tables

load_kernel_module ip_conntrack

# Find all tables supported

tables=`/bin/cat /proc/net/ip_tables_names`

for t in ${tables}

do

        # Reset/empty this table.

        /sbin/iptables -t "${t}" -F >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F

        /sbin/iptables -t "${t}" -X >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X

        /sbin/iptables -t "${t}" -Z >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z

        # Find all default chains in this table.

        chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`

        # If this is the 'filter' table, remember the default chains.

        # This will be used at the end to make it DROP all packets.

        test "${t}" = "filter" && firehol_filter_chains="${chains}"

        # Set the policy to ACCEPT on all default chains.

        for c in ${chains}

        do

                /sbin/iptables -t "${t}" -P "${c}" ACCEPT >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

                r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" ACCEPT

        done

done

/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"

# Accept everything in/out the loopback device.

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Drop all invalid packets.

# Netfilter HOWTO suggests to DROP all INVALID packets.

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

/sbin/iptables -t filter -N in_sis900   # L:3

/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.2.0/24 -j in_sis900   # L:3

/sbin/iptables -t filter -N out_sis900   # L:3

/sbin/iptables -t filter -A OUTPUT -o eth0 -d 192.168.2.0/24 -j out_sis900   # L:3

/sbin/iptables -t filter -N in_sis900_icmp_s1   # L:6

/sbin/iptables -t filter -A in_sis900 -j in_sis900_icmp_s1   # L:6

/sbin/iptables -t filter -N out_sis900_icmp_s1   # L:6

/sbin/iptables -t filter -A out_sis900 -j out_sis900_icmp_s1   # L:6

/sbin/iptables -t filter -A in_sis900_icmp_s1 -p icmp -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_icmp_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -N in_sis900_samba_s2   # L:6

/sbin/iptables -t filter -A in_sis900 -j in_sis900_samba_s2   # L:6

/sbin/iptables -t filter -N out_sis900_samba_s2   # L:6

/sbin/iptables -t filter -A out_sis900 -j out_sis900_samba_s2   # L:6

/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-ns --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A in_sis900_samba_s2 -p udp --sport 1024:65535 --dport netbios-dgm -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport netbios-dgm -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_samba_s2 -p udp --sport netbios-dgm --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A in_sis900_samba_s2 -p tcp --sport 1024:65535 --dport netbios-ssn -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -A out_sis900_samba_s2 -p tcp --sport netbios-ssn --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT   # L:6

/sbin/iptables -t filter -N in_sis900_all_c3   # L:8

/sbin/iptables -t filter -A in_sis900 -j in_sis900_all_c3   # L:8

/sbin/iptables -t filter -N out_sis900_all_c3   # L:8

/sbin/iptables -t filter -A out_sis900 -j out_sis900_all_c3   # L:8

/sbin/iptables -t filter -A out_sis900_all_c3 -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900_all_c3 -m state --state ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -N in_sis900_irc_c4   # L:8

/sbin/iptables -t filter -A in_sis900 -j in_sis900_irc_c4   # L:8

/sbin/iptables -t filter -N out_sis900_irc_c4   # L:8

/sbin/iptables -t filter -A out_sis900 -j out_sis900_irc_c4   # L:8

/sbin/iptables -t filter -A out_sis900_irc_c4 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900_irc_c4 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -N in_sis900_ftp_c5   # L:8

/sbin/iptables -t filter -A in_sis900 -j in_sis900_ftp_c5   # L:8

/sbin/iptables -t filter -N out_sis900_ftp_c5   # L:8

/sbin/iptables -t filter -A out_sis900 -j out_sis900_ftp_c5   # L:8

/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT   # L:8

/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A out_sis900_ftp_c5 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900_ftp_c5 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT   # L:8

/sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT   # L:FIN

/sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT   # L:FIN

/sbin/iptables -t filter -A in_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:   # L:FIN

/sbin/iptables -t filter -A in_sis900 -p tcp -j REJECT --reject-with tcp-reset   # L:FIN

/sbin/iptables -t filter -A in_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:   # L:FIN

/sbin/iptables -t filter -A in_sis900 -j REJECT   # L:FIN

/sbin/iptables -t filter -A out_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:   # L:FIN

/sbin/iptables -t filter -A out_sis900 -p tcp -j REJECT --reject-with tcp-reset   # L:FIN

/sbin/iptables -t filter -A out_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:   # L:FIN

/sbin/iptables -t filter -A out_sis900 -j REJECT   # L:FIN

/sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT   # L:FIN

/sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT   # L:FIN

/sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT   # L:FIN

/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:   # L:FIN

/sbin/iptables -t filter -A INPUT -j DROP   # L:FIN

/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:   # L:FIN

/sbin/iptables -t filter -A OUTPUT -j DROP   # L:FIN

/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:   # L:FIN

/sbin/iptables -t filter -A FORWARD -j DROP   # L:FIN

# Make it drop everything on table 'filter'.

for c in ${firehol_filter_chains}

do

        /sbin/iptables -t filter -P "${c}" DROP >/tmp/firehol-tmp-3340/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP

done

load_kernel_module ip_conntrack_irc   # L:FIN

load_kernel_module ip_conntrack_ftp   # L:FIN

FireHOL: Restoring old firewall: OK

```

it also has all those "head" lines in the beginning like the above code boxes, but i feel it would be redundant to insert them again.  i wonder if that's the problem.  i'm not quite up to speed on iptables so i'm going through the debug output slowly, but if anyone has any time and tips, it would greatly help me.  thanx!

----------

## ktsaou

Hi,

Please install the latest firehol ebuild and then download http://firehol.sf.net/firehol.tar.gz

Get firehol.sh from it and put it in /usr/sbin/firehol (i.e. overwrite the one installed by the ebuild - I don't recall if it is installed in /usr/bin or /usr/sbin - check it first).

The one above is the latest CVS, it is stable though.

For some reason the gentoo folks do not update the ebuild frequently.

Costa

PS: I am the author of FireHOL.

----------

## fideli

ok, i did that.  i also made my firehol.conf a bit simpler, about as simple as it's gonna get for it to be worth it, i suppose:

/etc/firehol/firehol.conf

```

version 5

interface eth0 sis900

   policy reject

   client all accept

```

# firehol start

```

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

FireHOL: Activating new firewall (45 rules):

--------------------------------------------------------------------------------

ERROR   : # 1.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 2.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_all_c1 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 3.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_irc_c2 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 4.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_irc_c2 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 5.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 6.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 7.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 8.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 9.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 10.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 5 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 11.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 12.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 13.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 14.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

--------------------------------------------------------------------------------

ERROR   : # 15.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT

OUTPUT  :

iptables: No chain/target/match by that name

 FAILED

FireHOL: Restoring old firewall: OK

```

# firehol debug

```

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

#!/bin/sh

load_kernel_module ip_tables

load_kernel_module ip_conntrack

# Find all tables supported

tables=`/bin/cat /proc/net/ip_tables_names`

for t in ${tables}

do

        # Reset/empty this table.

        /sbin/iptables -t "${t}" -F >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F

        /sbin/iptables -t "${t}" -X >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X

        /sbin/iptables -t "${t}" -Z >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z

        # Find all default chains in this table.

        chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`

        # If this is the 'filter' table, remember the default chains.

        # This will be used at the end to make it DROP all packets.

        test "${t}" = "filter" && firehol_filter_chains="${chains}"

        # Set the policy to ACCEPT on all default chains.

        for c in ${chains}

        do

                /sbin/iptables -t "${t}" -P "${c}" ACCEPT >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

                r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" ACCEPT

        done

done

/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"

# Accept everything in/out the loopback device.

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Drop all invalid packets.

# Netfilter HOWTO suggests to DROP all INVALID packets.

if [ "${FIREHOL_DROP_INVALID}" = "1" ]

then

        /sbin/iptables -A INPUT -m state --state INVALID -j DROP

        /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

        /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

fi

# === CONFIGURATION STATEMENT =================================================

# CONF:INIT>>>  version 5

# === CONFIGURATION STATEMENT =================================================

# CONF:  3>>>   interface eth0 sis900

# INFO>>> Creating chain 'in_sis900' under 'INPUT' in table 'filter'

/sbin/iptables -t filter -N in_sis900

/sbin/iptables -t filter -A INPUT -i eth0 -j in_sis900

# INFO>>> Creating chain 'out_sis900' under 'OUTPUT' in table 'filter'

/sbin/iptables -t filter -N out_sis900

/sbin/iptables -t filter -A OUTPUT -o eth0 -j out_sis900

# === CONFIGURATION STATEMENT =================================================

# CONF:  4>>>           policy reject

# INFO>>> Setting interface 'eth0' (sis900) policy to reject

# === CONFIGURATION STATEMENT =================================================

# CONF:  5>>>           client all accept

# INFO>>> Preparing for service 'all' of type 'client' under interface 'sis900'

# INFO>>> Creating chain 'in_sis900_all_c1' under 'in_sis900' in table 'filter'

/sbin/iptables -t filter -N in_sis900_all_c1

/sbin/iptables -t filter -A in_sis900 -j in_sis900_all_c1

# INFO>>> Creating chain 'out_sis900_all_c1' under 'out_sis900' in table 'filter'

/sbin/iptables -t filter -N out_sis900_all_c1

/sbin/iptables -t filter -A out_sis900 -j out_sis900_all_c1

# INFO>>> Running complex rules function rules_all() for client 'all'

/sbin/iptables -t filter -A out_sis900_all_c1 -m state --state NEW\,ESTABLISHED -j ACCEPT

/sbin/iptables -t filter -A in_sis900_all_c1 -m state --state ESTABLISHED -j ACCEPT

# === CONFIGURATION STATEMENT =================================================

# CONF:  5>>>           client irc accept

# INFO>>> Preparing for service 'irc' of type 'client' under interface 'sis900'

# INFO>>> Creating chain 'in_sis900_irc_c2' under 'in_sis900' in table 'filter'

/sbin/iptables -t filter -N in_sis900_irc_c2

/sbin/iptables -t filter -A in_sis900 -j in_sis900_irc_c2

# INFO>>> Creating chain 'out_sis900_irc_c2' under 'out_sis900' in table 'filter'

/sbin/iptables -t filter -N out_sis900_irc_c2

/sbin/iptables -t filter -A out_sis900 -j out_sis900_irc_c2

# INFO>>> Running simple rules for  client 'irc'

/sbin/iptables -t filter -A out_sis900_irc_c2 -p tcp --sport 32768:61000 --dport ircd -m state --state NEW\,ESTABLISHED -j ACCEPT

/sbin/iptables -t filter -A in_sis900_irc_c2 -p tcp --sport ircd --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

# === CONFIGURATION STATEMENT =================================================

# CONF:  5>>>           client ftp accept

# INFO>>> Preparing for service 'ftp' of type 'client' under interface 'sis900'

# INFO>>> Creating chain 'in_sis900_ftp_c3' under 'in_sis900' in table 'filter'

/sbin/iptables -t filter -N in_sis900_ftp_c3

/sbin/iptables -t filter -A in_sis900 -j in_sis900_ftp_c3

# INFO>>> Creating chain 'out_sis900_ftp_c3' under 'out_sis900' in table 'filter'

/sbin/iptables -t filter -N out_sis900_ftp_c3

/sbin/iptables -t filter -A out_sis900 -j out_sis900_ftp_c3

# INFO>>> Running complex rules function rules_ftp() for client 'ftp'

# INFO>>> Setting up rules for initial FTP connection client

/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW\,ESTABLISHED -j ACCEPT

/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

# INFO>>> Setting up rules for Active FTP client

/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED\,RELATED -j ACCEPT

/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT

# INFO>>> Setting up rules for Passive FTP client

/sbin/iptables -t filter -A out_sis900_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED\,RELATED -j ACCEPT

/sbin/iptables -t filter -A in_sis900_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT

# INFO>>> Finilizing interface 'sis900'

/sbin/iptables -t filter -A in_sis900 -m state --state RELATED -j ACCEPT

/sbin/iptables -t filter -A out_sis900 -m state --state RELATED -j ACCEPT

/sbin/iptables -t filter -A in_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:

/sbin/iptables -t filter -A in_sis900 -p tcp -j REJECT --reject-with tcp-reset

/sbin/iptables -t filter -A in_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-sis900:

/sbin/iptables -t filter -A in_sis900 -j REJECT

/sbin/iptables -t filter -A out_sis900 -p tcp -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:

/sbin/iptables -t filter -A out_sis900 -p tcp -j REJECT --reject-with tcp-reset

/sbin/iptables -t filter -A out_sis900 -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-sis900:

/sbin/iptables -t filter -A out_sis900 -j REJECT

# INFO>>> Finilizing firewall policies

/sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT

/sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT

/sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT

/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:

/sbin/iptables -t filter -A INPUT -j DROP

/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:

/sbin/iptables -t filter -A OUTPUT -j DROP

/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:

/sbin/iptables -t filter -A FORWARD -j DROP

# Make it drop everything on table 'filter'.

for c in ${firehol_filter_chains}

do

        /sbin/iptables -t filter -P "${c}" DROP >/tmp/firehol-tmp-17777/firehol-out.sh.log 2>&1

        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP

done

load_kernel_module ip_conntrack_irc

load_kernel_module ip_conntrack_ftp

FireHOL: Restoring old firewall: OK

```

so what have i done wrong and what do you suggest i do?

----------

## ktsaou

Hi,

please make sure you have compiled iptables against your current kernel. iptables depends on the the internal kernel structures for its operations. If the iptables ebuild you have installed has been compiled with a different kernel version, such errors may occur.

Therefore I suggest to re-emerge iptables.

Also make sure that your kernel has all the iptables features compiled either build-in or as modules. 

Costa

----------

