firehol help !!!!!!!!!!!

[CC_linux]

i recently done some systems updates, now i get this errors when i try to start firhol.
anyhelp would be of help

/usr/sbin/firehol: line 2354: printf: write error: Success
then i get theses erros
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 19 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 2.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 19 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 3.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net_smtp_s2 -p tcp --sport 1024:65535 --dport 25 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 4.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net_smtp_s2 -p tcp --sport 25 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 5.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net_pop3s_s3 -p tcp --sport 1024:65535 --dport 995 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 6.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 20 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net_pop3s_s3 -p tcp --sport 995 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 7.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 23 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net_teamspeak_s4 -p udp --sport 1024:65535 --dport 8767 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 8.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 23 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net_teamspeak_s4 -p udp --sport 8767 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 9.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 23 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net_teamspeak_s4 -p udp --sport 8767 --dport 8767 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 10.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 23 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net_teamspeak_s4 -p udp --sport 8767 --dport 8767 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 11.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 31 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group1_ssh_s5 -p tcp --sport 1024:65535 --dport 22 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 12.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 31 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group1_ssh_s5 -p tcp --sport 22 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 13.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group2_ftp_s6 -p tcp --sport 1024:65535 --dport ftp -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 14.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group2_ftp_s6 -p tcp --sport ftp --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 15.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group2_ftp_s6 -p tcp --sport ftp-data --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 16.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group2_ftp_s6 -p tcp --sport 1024:65535 --dport ftp-data -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 17.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group2_ftp_s6 -p tcp --sport 1024:65535 --dport 32768:61000 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 18.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 35 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group2_ftp_s6 -p tcp --sport 32768:61000 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 19.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p udp --sport 137 --dport 137 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 20.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p udp --sport 1024:65535 --dport 137 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 21.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p udp --sport 137 --dport 137 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 22.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p udp --sport 137 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 23.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p udp --sport 138 --dport 138 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 24.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p udp --sport 1024:65535 --dport 138 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 25.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p udp --sport 138 --dport 138 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 26.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p udp --sport 138 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 27.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p tcp --sport 1024:65535 --dport 139 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 28.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p tcp --sport 139 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 29.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_group3_samba_s7 -p tcp --sport 1024:65535 --dport 445 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 30.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 39 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_group3_samba_s7 -p tcp --sport 445 --dport 1024:65535 -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 31.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_net -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 32.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_net -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 33.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A INPUT -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 34.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A OUTPUT -m state
OUTPUT :




--------------------------------------------------------------------------------
ERROR : # 35.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line FIN of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A FORWARD -m state
OUTPUT :

i tryed to run the following comand, /sbin/iptables -t filter -A in_net_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state

heres the results
iptables v1.3.4: You must specify `--state'

[MEW]

I don't know what firehol error 2 is, but can you run "iptables" manually? If that works, can you run one of the failed commands manually?

[erikm]

Identical error here. Any success in the matter?

[Merlin8000]

Exact same problem here - iptables itself works when I try to run any of the commands here it complains about a state not being specified.

[Merlin8000]

Exact same problem here - iptables itself works when I try to run any of the commands here it complains about a state not being specified.

Decided to post info.

This started on reboot.
My system had been up 113 days prior to reboot, reboot was due to power outage.
I also tried hardened-sources 2.6.14-r6 and got the same results
The last kernel I was running that this worked under was hardened-sources 2.6.14-r3.

I will try rebooting with that kernel to see if the kernel is the culprit.

Code: Select all

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r0, 2.6.14-hardened-r7 i686)
=================================================================
System uname: 2.6.14-hardened-r7 i686 Celeron (Coppermine)
Gentoo Base System version 1.6.14
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control /var/service"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks maketest sandbox sfperms strict test userpriv"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://chod.cwru.edu/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 16bit a52 acl aim apache2 apm avi bash-completion berkdb bitmap-fonts bootsplash bzip2 calendar cgi chroot cli crypt curl dba dri eds emboss encode exif expat extensions fam fastcgi ffmpeg flac foomaticdb fortran gd gdbm gg gif gmp gpm gstreamer hardened hardenedphp icq idn imagemagick imap imlib ipv6 irc isdnlog jabber javascript jpeg kde lcms ldap libclamav libg++ libwww lj mad mcal mhash mikmod ming mmx mng motif mp3 mpeg msn mysql ncurses network nls nptl offensive ogg oscar pam pcre pdflib perl php png pppd python quicktime readline reflection rrdtool rss samba sensord session sftplogging slang spell spl ssl symlink tcpd test threads tiff tools truetype truetype-fonts type1-fonts udev usb vhosts virus-scan vorbis winbind wmf xml xml2 xmlrpc xorg xsl xvid yahoo zip zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS

[Merlin8000]

no joy

I feel naked

Exact same problem here - iptables itself works when I try to run any of the commands here it complains about a state not being specified.

Decided to post info.

This started on reboot.
My system had been up 113 days prior to reboot, reboot was due to power outage.
I also tried hardened-sources 2.6.14-r6 and got the same results
The last kernel I was running that this worked under was hardened-sources 2.6.14-r3.

I will try rebooting with that kernel to see if the kernel is the culprit.

Code: Select all

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r0, 2.6.14-hardened-r7 i686)
=================================================================
System uname: 2.6.14-hardened-r7 i686 Celeron (Coppermine)
Gentoo Base System version 1.6.14
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control /var/service"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks maketest sandbox sfperms strict test userpriv"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://chod.cwru.edu/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 16bit a52 acl aim apache2 apm avi bash-completion berkdb bitmap-fonts bootsplash bzip2 calendar cgi chroot cli crypt curl dba dri eds emboss encode exif expat extensions fam fastcgi ffmpeg flac foomaticdb fortran gd gdbm gg gif gmp gpm gstreamer hardened hardenedphp icq idn imagemagick imap imlib ipv6 irc isdnlog jabber javascript jpeg kde lcms ldap libclamav libg++ libwww lj mad mcal mhash mikmod ming mmx mng motif mp3 mpeg msn mysql ncurses network nls nptl offensive ogg oscar pam pcre pdflib perl php png pppd python quicktime readline reflection rrdtool rss samba sensord session sftplogging slang spell spl ssl symlink tcpd test threads tiff tools truetype truetype-fonts type1-fonts udev usb vhosts virus-scan vorbis winbind wmf xml xml2 xmlrpc xorg xsl xvid yahoo zip zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS

[Merlin8000]

I'm giving up on this for now, for the other two with this problem, I'll keep looking at it but in the meantime look at this bash-based firewall tool

http://rocky.eld.leidenuniv.nl/

It's not as elegant for configuration as firehol but it's pretty nice and he's got a couple of scripts for Gentoo in the tarball

Here's what I did to get that running

decompressed the tarball
copied Gentoo/firewall.conf to /etc/conf.d/firewall
copied Gentoo/rc.firewall to /etc/init.d/firewall
copied arno-iptables-firewall.conf to /etc
copied arno-iptables-firewall to /usr/local/sbin

changed EXT_IF in /etc/arno-iptables-firewall.conf
changed OPEN_TCP to the list of open ports on my server

[DNAspark99]

a bit odd - the errors appear to be a result of an incomplete argument for the 'state' module of iptables, usually '--state' follows with an argument about what _type_ of state the rule should apply to...

Code: Select all

-m state --state NEW,ESTABLISHED

so, I'd disregard the firehol errors. They're a byproduct of an alternate issue. For some reason, firehol is not able to construct a proper/complete iptables command out of the config file commands.

It looks to me like the catalyst for all these errors is:

/usr/sbin/firehol: line 2354: printf: write error: Success

I have no idea what would cause that error.. glibc update perhaps? Did you try rebuilding firehol? Might set things back in order, might not,....worth a try, firehol is fantastic!

[erikm]

a bit odd - the errors appear to be a result of an incomplete argument for the 'state' module of iptables, usually '--state' follows with an argument about what _type_ of state the rule should apply to...

Code: Select all

-m state --state NEW,ESTABLISHED

so, I'd disregard the firehol errors. They're a byproduct of an alternate issue. For some reason, firehol is not able to construct a proper/complete iptables command out of the config file commands.

It looks to me like the catalyst for all these errors is:

/usr/sbin/firehol: line 2354: printf: write error: Success

I have no idea what would cause that error.. glibc update perhaps? Did you try rebuilding firehol? Might set things back in order, might not,....worth a try, firehol is fantastic!

I've noted the same thing (--state WHATEVER not included) here. Even went through the trouble of reading through /usr/sbin/firehol to see if the command is truncated somewhere. Total needle in a haystack, though. Rebuilding firehol does not do it.

Methinks it's time for a bug report...

EDIT: Btw, are we all running hardened? I am, and it seems Merlin8000 is too...?

[erikm]

Ok, problem solved. It is bash that is the culprit: Downgrading from 3.1_p16 to 3.0-r12 solves the firehol mess. Wonder whether to file as a bash or firehol bug, though...?

[centic]

Ok, problem solved. It is bash that is the culprit: Downgrading from 3.1_p16 to 3.0-r12 solves the firehol mess. Wonder whether to file as a bash or firehol bug, though...?

The problem is reported as http://bugs.gentoo.org/show_bug.cgi?id=139526 in Gentoo, please try upgrading to p17 of bash to see if that fixes the problem. I have p17 installed and don't see this problem right now.

Dominik aka Centic.