QA/FAQ
 
Q: Exact email quote: "Your firewall doesn't work, howcome?"
A: First of all: this type of message doesn't really help me much in solving your problem!
I'm always willing to help but some people still want me to guess whatever problem they have. Second note is RTFM (Read-The-F*cking-Manual = the README-file and this page!) before contacting me, most problems are caused by people who think that a piece of software should just work without reading the documentation. Also check the question below!

Q: I can't get it to work.
A: Always first check whether there's an updated version of my firewall. If you experience strange iptables/kernel errors, see whether there is an updated version of iptables or the kernel for your distribution, a lot of problems are caused by an out-of-date iptables/kernel which conflicts with my script. If you still cannot find the problem and you tried really, really hard than you should post your question on my firewall-mailing list, where either I or others may be able to help you. At least provide the following info:
- Linux distribution
- Kernel version
- iptables version
- firewall version
- (relevant) firewall logs
- attach your (firewall) configuration file
Furthermore provide as much (relevant) and detailed information as possible (ie. dumps of 'ifconfig', 'iproute' and/or the output of the 'start'-command).

Q: I emailed you but I don't get any answer! Are you too lame to answer me back?
A: Like other people who make free software, I don't make any money with it (but feel free to do so and I will give it to charity), so in the first place I don't owe you anything. But as I am simply too busy to manage a free helpdesk I had to make some rules:
- First of all, plain (helpdesk) questions should always be posted to the mailing list. As I stated earlier I am simply too busy to help everybody out. People that do NOT honour this will NOT get any answer nor reply.
- Stuff like security issue's/bugs may be emailed to me directly, everything else should be posted on the mailinglist (first). "How do I ...." questions (helpdesk questions) should always go to the mailinglist
- Note that often I don't have the time (the delay could be as long as 2 weeks) to answer back.
- Also note that some emails don't require an answer, though the information is USED (I think it's always better to use the time to actually implement the feature and/or fix the bug than answer somebody back that I will implement it).
- Stupid questions of people who are too lazy to read or of people who don't deserve to own a Linux machine (meaning they own one but don't know sh*t about it) also don't get any response. Some people still think a "one-line"-email to me can resolve their problem -> IT CAN'T!

Q: I can't get it to work, there seems to be a problem with the module dependencies. What can I try to fix this?
A: Try to run "depmod -a" to update the module dependecies list of the OS. Note that most distributions already perform this action during boottime.

Q: How does your version numbering work?
A: The main version number constists of 3 digits. The first one tells you the major version number (1). The second one tells the minor version and whether it's a development-branch or not. Odd numbers are development, even numbers are mainline. The third one tells the subminor version. The last one also tells you whether it's a stable version or not. When using an even number, it's a stable version, when using odd numbers it's unstable. Unstable is always followed by "RC" or "BETA" and an additional number. This tells you how "stable" an unstable version is, RC should normally be quite stable, as it's a "Release-Candidate". Stable versions are sometimes also followed by a single character (a-z), this is used for minor changes (but still means it's stable).

Q: How can I forward port 21 and 25 to 192.168.0.5 and forward port 5000-5010 to 192.168.0.6?
A: Use NAT_TCP_FORWARD and/or NAT_UDP_FORWARD variable(s) in this way:
NAT_TCP_FORWARD="21,25>192.168.0.5 5000:5010>192.168.0.6"
NAT_UDP_FORWARD="21,25>192.168.0.5 5000:5010>192.168.0.6"

Q: How can I make eDonkey/eMule work so that I don't get low ID (firewalled)?
A: You need to forward TCP/UDP port 4662 and UDP port 4672 to your internal host (eg. 192.168.0.5):
NAT_TCP_FORWARD="4662>192.168.0.5"
NAT_UDP_FORWARD="4662,4672>192.168.0.5"

Q: How can I enter multiple ports in any of the variables?
A: You can enter multiple ports seperated by spaces except for the xxx_FORWARD variables. Normally the comment in the config file shows a good example on how the use the variables.

Q: How can restrict the access of certain forwarded ports? I only want to allow IP's 1.2.3.4 and 5.6.7.8 for the forwarded HTTP(port 80) service.
A: Enter the allowed source IP address(es) in front of a forward specification. Example:
NAT_TCP_FORWARD="1.2.3.4,5.6.7.8:80>192.168.0.5"
NAT_UDP_FORWARD="1.2.3.4,5.6.7.8:80>192.168.0.5"

Q: How can I enter port ranges in the variables?
A: Port ranges sbould be written with the ':' seperator. ie. "5000:5010" would include ports 5000 through 5010.

Q: Why don't you block any trojans by default?
A: Because the list of existing trojans is simply too large (and growing). The default policy of the firewall blocks any trojans by default, except for full access subnets! The fwfilter script DOES know all common trojans however.

Q: Where does the name XMAS-scan came from?
A: The name XMAS came from the first time someone caught such a packet. All the tcp flags were up like a fully lighted xmas tree. It also probably happened around xmas, I presume. But that is networking legend! (Arch@os)

Q: How can I use the script with chkconfig (Redhat)?
A: Just copy or (soft) link the script to "/etc/init.d" (that's it).

Q: How can I add custom iptables rules?
A: Just put your custom iptables rules in "/etc/iptables-custom-rules" (default location). CAUTION!: All custom rules are loaded at the beginning of the script so you could break some of security of my script if you don't exactly know what you're doing.

Q: What's the proper way to use the blocked hosts file?
A: Just put the hostname or IP of the host(s) you want to block in "/etc/iptables-blocked-hosts" (default location). You can use comments (starting with the #-character) but it can only be used when the whole line is a comment!

Q: When I turn on host resolving, I get an error saying that 'dig' can not be found.
A: You must install the bind-utilities (package), which contains the 'dig'-utility

Q: I want to forward (DNAT) from port 81 on my the firewall machine to port 80 on a local host (192.168.0.3). How can I do this?
A: You can do this in almost the same way is a normal forward, only thing you need to add is :81 to the destination host in the TCP_FORWARD / UDP_FORWARD variables. In this case it would become "81>192.168.0.3:80"

Q: The script shows an error saying something like "info is ambiguous, ...". What's the cause and how can I fix this?
A: The cause is a bug in older versions of iptables (<1.2.3) which doesn't understand strings passed to the iptables option "--loglevel". The best thing you can do is upgrade to a newer (or latest) version of iptables. If you really can't, you can also fix it by using the number associated with the required loglevel. For the default value, "info", the variable "LOGLEVEL" should equal "6" in the configuration file (LOGLEVEL=6).

Q: How can I use an internal (masqueraded) machine as a VPN server?
A: First you need NAT (masquerading) enabled. Second you need to configure the following variables:
- IP_FORWARD=47>YOUR_LOCAL_HOST"
-> example "TCP_FORWARD=47>192.168.0.2"
- TCP_FORWARD="500,1723,3389>YOUR_LOCAL_HOST"
-> example "TCP_FORWARD="500,1723,3389>192.168.0.2"
- UDP_FORWARD="500,1723,3389>YOUR_LOCAL_HOST"
-> example "UDP_FORWARD="500,1723,3389>192.168.0.2"

Q: Does your firewall work with IPSEC VPN (KAME/Racoon)?
A: Yep :-) There is a plugin available to get it to work.

Q: Does your firewall work with CIPE?
A: Yes. Here's how you should do it, it's actually quite easy with my script.
You need to configure the following variables:
- OPEN_UDP="1119" # 1119 = CIPE tunnel
- TRUSTED_IF="cpcb0" # This allows the actual VPN traffic to your gateway/network.
- RP_FILTER=0 # If we don't do this the private external addresses won't be routed into our net

Q: I'm seeing INVALID packets being dropped (with a nested ICMP packet) with error "INCOMPLETE". What causes this?
A: Well, there's not much I could find about this issue but it seems to be caused by congested routers which cannot handle the traffic but it could also be caused by eDonkey servers which are abused (for DoS attacks). For now there's not much I can do about it as I'm still not certain about its causes. If someone can provide me with more information please contact me.

Q: How can enable the use of protocols like UPnP for my internal network?
A: You should install "LINUX UPNP INTERNET GATEWAY DEVICE" which is available from http://linux-igd.sourceforge.net/. To enable support for it in my firewall you should make FORWARD_LOOSE=1. This will allow any FORWARD (not INPUT) packet from the outside world into the local network. Note that it's less secure when you use this feature.

Q: I did a nmap(port scan) from my internal network against my public IP and everything is open!!! I thought your firewall was very secure by default! Shouldn't it block all ports then?
A: This is caused by the fact that many people still don't understand that for security reasons some actions are only performed on the network interfaces for which it should actually apply. Portforwarding & default portblocking is only performed on the EXTERNAL interface. In other words: performing tests on your public IP from your internal network will NEVER,EVER work -> you should always use another public machine!

Q: I configured your script with a portforward of port 80 to an internal machine running a webserver. It works when I connect from another public machine but it doesn't work when try to connect from an internal host. How can I make this work?
A:The problem is caused by the fact that port forwards in principle only work for the external internet interface (EXT_IF). The reason why this can't work is simple: to connect to a public IP you need ANOTHER public IP, and an internal (NAT) host lacks this. You can fix this by using my DNAT-plugin for my firewall, this will reroute and traffic from the internal hosts to YOUR the external IP of your gateway-machien to its internal IP.

Q: Could you tell me how I can use PoPToP VPN with your firewall?
A: Here's how you should do it.
You need to configure the following variables:
- OPEN_IP="47" # 47=GRE protocol
- OPEN_TCP="1723" # 1723=pptp

Q: Is there a way to define 2 or more ethernet adapters for internal networks?
A: Yes you can! You can actually specify as many internal nets as you want. There are two ways to accomplish this:
1) Only specify multiple local interfaces in INT_IF (space seperated) and specify one(!) big local subnet in INTERNAL_NET. In this way you only need to make sure that both subnet "fit" in the large one. For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/16"
or
2) Specify multiple local interfaces in INT_IF (space seperated) and specify an equal amount of subnets in INTERNAL_NET. This means that the each entry of INTERNAL_NET & INT_IF form a combined interface/subnet pair!
For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24"
Note that my script figures out itself which method you (want to) use!

Q: Is there a way to define 2 or more ethernet adapters for external networks?
A: Yes, simply add ALL interfaces to your EXT_IF.

Q: How can I make IRC work?
A: First enable the variable USE_IRC(=1). Second make sure IDENT is enabled on your server by opening TCP port 113 (OPEN_TCP="113"), if you don't do this any new connections to an IRC server will be extremly slow! Note that it seems that the current IRC kernel modules don't seem to support DCC filesend (or does somebody know a work-around?). To be able to also do filesends you should (probably) setup TCP portforwards to your internal client (NAT_TCP_FORWARD) instead(!) of using kernel module IRC support (USE_IRC=0).

Q: I don't want our students on our internal NATed network to use IRC. How can I block this?
A: Configure these variables:
- $BLOCK_TCP_FORWARD="6666:6669"
- $BLOCK_UDP_FORWARD="6666:6669"

Q: It seems that your firewall blocks traffic on ANY network interface. How can I fix this?
A: In some rare cases people have additional network interfaces, next to the default internal and external interface. Because of the way iptables works, it's easier to first block all traffic (deny) and then start allowing things for the internal and external interfaces (this is also a lot more secure). This issue can by solved by adding the network interface to "TRUSTED_IF". CAUTION!: This will allow ANY traffic to and from that specific interface without any checking whatsoever.

Q: What is a DMZ?
A: "DMZ" is an abbreviation for "de-militarized zone". In the context of firewalls, this refers to a part of the network that is neither part of the internal network nor directly part of the Internet. Typically, this is the area between your Internet access router and your bastion host, though it can be between any two policy-enforcing components of your architecture (Info obtained from Cisco).

Q: How can I implement a DMZ with your firewall?
A: To accomplish this you should add an additional ethernet adapter to the computer (gateway) running my firewall and this interface to the DMZ_IF-variable. You can also create multiple DMZ interfaces (although I doubt the benefit of having more than one) by adding multiple interfaces to DMZ_IF (space seperated).

Q: I use ppp (Point-To-Point) for my internet connection. Why should I use 'ppp+' instead of 'ppp0' for my EXT_IF?
A: The use of the '+' functions as a wildcard and has 2 advantages:
1) It automatically matches ANY ppp network interface.
2) The firewall can be started without the restriction that the network interface (ppp0) should already exist.

Q: I see packets with IP protocol 2 (PROTO=2) being dropped what's causing this?
A: I couldn't find much about IP protocol 2(=IGMP) but it seems to be caused when your route-daemon(routed) is NOT running (properly) or it's misconfigured (which is required for PPPoA)

Q: What does IPSEC mean?
A: IPSEC means Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents.

Q: I want to masquarade(NAT) from 10.0.0.0/24 *and* 192.168.0.0/24 which are both connected to network interface eth1. I've set INT_IF="eth1" and INTERNAL_NET="10.0.0.0/24 192.168.0.0/24". Now it works for 10.0.0.0/24 but it does not with 192.168.0.0/24. Howcome?
A: A single (physical) network interface was never meant to route absolute different IP subnets. However you can make it work like this (although it's dirty):
INT_IF="eth1 eth1"
INTERNAL_NET="10.0.0.0/24 192.168.0.0/24" .

Q: How can I use IP address masks in the configuration file and/or the block hosts file?
A: You should use the /x , which is a bitwise-masker. Example: Selecting all addresses of 192.168.x.x it would become 192.168.0.0/16 . The /16 masks (selects) the 16 most significant bits of the address (from left-to-right, the first 2 figures), meaning these should match and all others are "don't cares".

Q: How can I use IP address ranges in the configuration file and/or the block hosts file?
A: Version 1.8 does NOT support IP ranges (except for the blocked hosts file), and never will. However starting with version 1.9, you can use class C IPv4 ranges like ie. 192.168.1.10-20, which would include all IP's between 192.168.1.10 en 192.168.1.20.

Q: How can I block KaZaa (and/or MSN, ICQ etc.) for my internal clients?
A: You can't completely, as far as I know. KaZaa binds to almost any unpriviliged port if necessary. The only thing that helps a little is blocking remote port 1214 (KaZaa) with $LAN_INET_DENY_TCP. But the only thing that really helps is using a proxy.

Q: (How) can I use a proxy with your firewall then?
A: Yes, you can. You should use the $PROXY_PORT variable for this. You should set this variable to the value of the port your proxy is listening on. Note that the proxy should run on the gateway itself!

Q: Since I configured your firewall to use debug level for logging, my console gets filled with firewall messages. (How) can I fix this?
A: This problem is distribution-dependent. It's caused by the fact that some systems have their syslogd configured to also log debug messages to the console. To disable any non-crucial logging to the console, you should execute "dmesg -n 1" on the console. You can (of course) also modify your /etc/syslog.conf to fix this.

Q: When I run your script I get (a lot of) "iptables: No chain/target/match by that name" error-messages. How can I solve this?
A: This problem is probably caused by a non-modular kernel which misses some of the used iptables-targets compiled-in. You should either find a modular-kernel (normally the one that comes with your distribution) or you should compile (or find) a kernel with the proper targets build-in.

Q: What"s the difference between REJECT en DENY?
A: When DENYING packets, you are dropping incoming packets of which the sender doesn't know it gets discarded (stealth). But when REJECTING you are letting the other side know that you don't ACCEPT the packet sent.

Q: When I perform an UDP portscan everything is open? Is your firewall not working properly?
A: It"s working fine. The problem is that because of the way UDP works, portscanners (nmap) assume that a port is open when they don"t get any rejection (aka icmp-reject) from the target host.