-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Karl E. Jorgensen wrote: > Strange: With this rule as the *first* rule in the OUTPUT chain, > *everything* outgoing should be accepted, regardless of source, > destination or protocol!? > >> out_lan 0 -- 192.168.30.103 0.0.0.0/0 >> out_public_lan_124 0 -- 192.168.100.2 0.0.0.0/0 >> out_public_lan_125 0 -- 192.168.100.5 0.0.0.0/0 >> ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED >> ULOG 0 -- 0.0.0.0/0 0.0.0.0/0 limit: avg >> 1/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `'OUT-unknown:'' >> queue_threshold 1 > > And yet your log entry appears to be the result of this rule... > >> DROP 0 -- 0.0.0.0/0 0.0.0.0/0 > > Are you 100% sure that these were the rules in effect at the time of the > log entry? It's not making sense ... Yes...100% sure...i was doing many test and the result was that i had to disable firehol (and iptables as well). I could try to set up a different ruleset manually with iptables to see if the problem is a kind strange combination of rules, but i'd like to use firehol because i had never problem with it and i'm satisfied. I checked all the kernel config (it's 2.6.21.1 compiled by myself) and all modules from netfilter are compiled. UHm...i just checked an another server with more or less the same configuration...just that this server has two phisical interfaces and i don't use in firehol conf the rule "interface ethX:X name dst xxx.xxx.xxx.xxx". I changed the firehol conf on the problematic server (deleted the dst xxx....) and now it works. The conf before i read about it because of different configuration for each virtual and phisical interface...now i check how is the conf and if everything is ok. Thanks all.
Pier -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOuSC0EvuLV/O0yoRAtq8AKClo97kIRomgIaB+he9nE18F0V67gCgjwMN op6BXfwsOL7QXtPpBYid2Qs= =Jn5P -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
