How to Allow LAN access

This may be caused by the firewall.
Try disabling FireHol only by clicking on the FireHol on/off button to see if it works.

Yes, i did discover Firehol blocked it. when Firehol is disabled it worked. Is it possible to configure Firhol to allow it and still be active?

Yes, but I can't tell you exactly how.

Normally, your firehol.conf should contain something like this:
====================
version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner
! --uid-owner dansguardian -j DROP
transparent_squid 8080 "proxy root"

# Accept all client traffic on any interface
interface any world
policy drop
protection strong
 client all accept
server cups accept
====================

Try removing the line "policy drop".
If that doesn't work, try removing the line "protection strong".

The file to edit is /etc/firehol/firehol.conf
You should be able to access it in the advanced settings tab by
clicking on "open main configuration files".

Make sure you save it and restart firehol for each test.

P.S: Merry Christmas! :)

On Wed, Dec 24, 2008 at 2:17 PM, Scott
<email address hidden> wrote:
> Question #55187 on WebContentControl changed:
> https://answers.launchpad.net/webcontentcontrol/+question/55187
>
> Status: Answered => Open
>
> Scott is still having a problem:
> Yes, i did discover Firehol blocked it. when Firehol is disabled it
> worked. Is it possible to configure Firhol to allow it and still be
> active?
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

--
Unlock your computing: http://www.getgnulinux.org/

Hi, my firehol.conf looked exactly as you wrote. So I added a # in front of policy drop, restarted, nothing. did the same to protection strong, restarted, nothing, so I deleted both lines, one at a time and restarted in between, no change.

It is certainly Firehol since when it is off I get access.

I tried reading the help files but they are complicated. Will try to reread but any help is appreciated. I do know my networked drive IP address if I can simply "allow" that IP address somehow instead of disabling other settings like policy drop or protection strong.

Thanks and Merry Christmas to you too!

I am having a similar problem. I cannot access the Internet when firehol is activated. When it is deactivated, the Internet works but blocking does not work.

I tried your suggestions with firehol.conf with no affect.

Any other suggestions?

Nathan

Temporary solution:
Lock the firefox proxy settings and stop firehol from running at startup (Advanced settings tab).

Note: I'll make a quick temporary release right now to make sure those functions are available. ;)

How do you connect to the internet?
Are all the pages blocked or do you get a normal connection error message?

Can you post the output of /var/log/dansguardian/access.log ?

Have you tried removing all lines in firehol.conf except the following:
==========
version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner
! --uid-owner dansguardian -j DROP
transparent_squid 8080 "proxy root"
==========

If you have some experience, you can try debugging firehol/iptables by adding lines like this in firehol.conf:
==========
iptables -I INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j LOG --log-prefix "[PORT 80]" --log-uid --log-tcp-sequence --log-tcp-options --log-ip-options

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j DROP
==========

The "-j LOG ..." part logs all matching packets in the "kernel ring buffer".
You can then view them by running "dmesg".
You can use --log-prefix "foobar" in the iptables line to filter the dmesg output with grep:
dmesg | grep foobar

Here is some more info about iptables usage and debugging:
https://help.ubuntu.com/community/IptablesHowTo

New release made as promised. (but still no firehol GUI config)

Hi zoidberg,

I can access the Internet without any odd affects, only the pages I want to block are blocked. I only have problems accessing my WAN shared Windows drives.

I tried removing all lines in firehol.conf except those you suggested above without any change.

I read your other debugging suggestions but I do not understand enough to try any of them, I pretty new to Ubuntu.

I did set Firehol to default off when booted for now, so I will hope to find another solution until then so I can re-enable it.

Thanks

Concerning your WAN shared windows drives, the problem may be related to ufw being installed by default since Hardy.
Please refer to what I posted here: https://bugs.launchpad.net/webcontentcontrol/+bug/318301

I don't access my PC remotely, nor do I have shared drives over a LAN, so those problems are kind of hard for me to debug. :(

Adding this at the end of firehol.conf might also help with network service problems:
============
servers="samba imap pop3 lpd portmap vncwebserver vnc "

for i in $servers;
       do server $i accept
done
============

Thanks to Ricardo Guimarães for this.

I'll try adding this to webcontentcontrol as soon as I can.

I have tried this command :

============
servers="samba imap pop3 lpd portmap vncwebserver vnc "

for i in $servers;
       do server $i accept
done
============

 I can't access the share printer... how to fix it??

thanks...

Could you give me some details about your shared printer setup?
Especially which protocol is used?

Here is a list of the protocols supported by FireHol: http://firehol.sourceforge.net/services.html?

Do add a protocol, just add a line like this to firehol.conf:
server PROTOCOL accept

A simple thing to try first would be:
server all accept

Of course this would completely open the firewall, so it's not the best solution IMO.

Don't forget to restart FireHol after each change to firehol.conf!

If you know which interface is used to access the LAN and which one to access the internet, you can do even better.
If eth0 is used for the LAN for example, you can use:
==========
interface eth0 home
  server dns accept
  server ftp accept
  server samba accept
  server squid accept
  server dhcp accept
  server http accept
  server ssh accept
  server icmp accept
==========

or more general:
==========
interface eth0 home
  server all accept
==========

cf: http://firehol.sourceforge.net/tutorial.html for more info.

You can also just try replacing "policy drop" by "policy accept", i.e. make firehol.conf look like this:
====================
version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner
! --uid-owner dansguardian -j DROP
transparent_squid 8080 "proxy root"

# Accept all client traffic on any interface
interface any world
policy accept
protection strong
 client all accept
server cups accept
====================

I can't test any of this unfortunately, but if you get it working, please let me know how. :)
The firehol documentation should help you: http://firehol.sourceforge.net/

Done,,

I have replaced "policy drop" to"policy accept".

I just want to block web contents, not samba or printer share..

Thanks

Hi Zoidberg,

in my bannedsitelist, I tried to use time limiting syntax : #time: 8 30 16 30 01234.
its mean 8.30 am to 4.30 pm, Monday to Friday.

what if I want to open the access at 1pm to 2pm , before 1pm (8.30am - 1.00pm) and after 2pm (2pm - 4.30pm), access blocked again??

I have tried :
 #time: 8 30 13 00 01234
 #time: 14 00 16 30 01234
but its not working...

thanks.

Fixed,,

I have changed the exceptionsitelist..

thanks..

And how did you fix it?
I usually use this method for time control:
https://answers.launchpad.net/webcontentcontrol/+question/64206

But using the one implemented in DG is a good solution too of course. :)

this is the commands on bannedsitelist:
=============
#time: 8 30 16 30 01234
badboys.com
=============

and I put this command on exceptionsitelist :
=============
#time: 12 0 13 0 01234
badboys.com
=============

I cannot open the badboys.com on office hour but I can open it on lunch time..

thanks