Frequently Asked Questions

Q. I can't make any connections (eg, to browse a website) after activating my rules.

A. Remember the default policy for ALL chains in the 'filter' table is DROP. This includes the 'OUTPUT' chain so you need to explicitly allow (or write appropriate rules for) outbound traffic. For most hosts it is acceptable to accept all traffic:

define rules OUTPUT
accept all
end define

---

Q. I get errors complaining about being unable to load match 'conntrack'?

A. Some kernels (still) do not have support for the newer "conntrack" iptables module. If this is your kernel, you can configure husk to use the older "state" module instead by adding old_state_track = 1 to your husk.conf file. This issue is known to affect CentOS 5, but only with IPv6.

---

Q. I get errors complaining about being unable to load match 'comment'?

A. Some early IPv6 kernels did not have support for the "comment" iptables module. Husk includes a comment with all rules to help identify the source of a particular rule. This issue is known to affect CentOS 5. To disable comments on IPv6 rules, set no_ipv6_comments = 1 in your husk.conf file.

---

Q. I get errors starting with _SYNTAX' is not defined at...

A. This means your husk.conf file is still completely commented. At a minimum, uncomment one or both of do_ipv4 or do_ipv6

---

Q. My hooks don't run

A. Make sure you have set them to be executable.

---

Q. What does option X do?

A. I've spent a lot of time writing documentation; Please refer to the man pages:

man husk
man husk.conf
man fire

If you can't find the answer to your question there, please do contact me and I'll be happy to help, plus update the documentation :)