Bug#502733: firehol: Doesn't allow connection with OpenVPN since upgrade of linux-image-2.6.26-1-686
Package: firehol
Version: 1.256-4
Severity: important
Hello,
Since an upgrade from linux-image-2.6.26-1-686 2.6.26-8 to 2.6.26-9, when Firehol is activated, I cannot connect to an OpenVPN network anymore. Here is what says syslog when I launch Openvpn, Firehol started:
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Control Channel Authentication: using 'user/my.key' as a OpenVPN static key file
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Control Channel MTU parms [ L:1591 D:168 EF:68 EB:0 ET:0 EL:0 ]
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Local Options hash (VER=V4): 'b8d42479'
Oct 19 15:42:30 baudelaire ovpn-myvpn[11762]: Expected Remote Options hash (VER=V4): '173d8fc4'
Oct 19 15:42:30 baudelaire ovpn-myvpn[11764]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Oct 19 15:42:30 baudelaire ovpn-myvpn[11764]: Attempting to establish TCP connection with 42.42.42.42:7777 [nonblock]
Oct 19 15:42:33 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused
Oct 19 15:42:41 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused
Oct 19 15:42:49 baudelaire ovpn-myvpn[11764]: TCP: connect to 42.42.42.42:7777 failed, will try again in 5 seconds: Connection refused
My firehol.conf is simple and looks like this:
---- begin of firehol.conf ----
version 5
FIREHOL_LOG_MODE=ULOG
interface eth0 interface_eth0
## Doesn't work even if this two lines are commented.
protection strong
policy reject
server icmp accept
client all accept
interface tap0 myvpn
## Doesn't work even if this two lines are commented.
protection strong
policy reject
server icmp accep
client all accept
---- end of firehol.conf ----
Here is the output of iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
in_interface_eth0 all -- anywhere anywhere
in_myvpn all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'IN-unknown:'' queue_threshold 1
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'PASS-unknown:'' queue_threshold 1
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
out_interface_eth0 all -- anywhere anywhere
out_myvpn all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'OUT-unknown:'' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_myvpn (1 references)
target prot opt source destination
in_myvpn_icmp_s1 all -- anywhere anywhere
in_myvpn_all_c2 all -- anywhere anywhere
in_myvpn_irc_c3 all -- anywhere anywhere
in_myvpn_ftp_c4 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''IN-myvpn':'' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_myvpn_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_myvpn_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED
Chain in_myvpn_icmp_s1 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
Chain in_myvpn_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED
Chain in_interface_eth0 (1 references)
target prot opt source destination
in_interface_eth0_icmp_s1 all -- anywhere anywhere
in_interface_eth0_all_c2 all -- anywhere anywhere
in_interface_eth0_irc_c3 all -- anywhere anywhere
in_interface_eth0_ftp_c4 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''IN-interface_eth0':'' queue_threshold 1
DROP all -- anywhere anywhere
Chain in_interface_eth0_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
Chain in_interface_eth0_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:32768:61000 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data dpts:32768:61000 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:32768:61000 state ESTABLISHED
Chain in_interface_eth0_icmp_s1 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED
Chain in_interface_eth0_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ircd dpts:32768:61000 state ESTABLISHED
Chain out_myvpn (1 references)
target prot opt source destination
out_myvpn_icmp_s1 all -- anywhere anywhere
out_myvpn_all_c2 all -- anywhere anywhere
out_myvpn_irc_c3 all -- anywhere anywhere
out_myvpn_ftp_c4 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''OUT-myvpn':'' queue_threshold 1
DROP all -- anywhere anywhere
Chain out_myvpn_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_myvpn_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_myvpn_icmp_s1 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
Chain out_myvpn_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED
Chain out_interface_eth0 (1 references)
target prot opt source destination
out_interface_eth0_icmp_s1 all -- anywhere anywhere
out_interface_eth0_all_c2 all -- anywhere anywhere
out_interface_eth0_irc_c3 all -- anywhere anywhere
out_interface_eth0_ftp_c4 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED
ULOG all -- anywhere anywhere limit: avg 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `''OUT-interface_eth0':'' queue_threshold 1
DROP all -- anywhere anywhere
Chain out_interface_eth0_all_c2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
Chain out_interface_eth0_ftp_c4 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpts:1024:65535 state RELATED,ESTABLISHED
Chain out_interface_eth0_icmp_s1 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
Chain out_interface_eth0_irc_c3 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:32768:61000 dpt:ircd state NEW,ESTABLISHED
Sorry for my bad english. :-)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages firehol depends on:
ii bash 3.2-4 The GNU Bourne Again SHell
ii iproute 20080725-2 networking and traffic control too
ii iptables 1.4.1.1-4 administration tools for packet fi
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii net-tools 1.60-21 The NET-3 networking toolkit
Versions of packages firehol recommends:
pn aggregate <none> (no description available)
ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or
ii module-init-tools 3.4-1 tools for managing Linux kernel mo
ii wget 1.11.4-2 retrieves files from the web
firehol suggests no packages.
-- no debconf information
Reply to: