Hi all,
I want to add a port range for Jitsi Jigasi: 20000..20050
.
If I try to add the new network service in Cockpit:
At the command line:
# config set fw_jitsi-jigasi service status enabled UDPPort 20000..20050 access green,red
#
# signal-event firewall-adjust
#
# config show fw_jitsi-jigasi
fw_jitsi-jigasi=service
UDPPort=20000..20050
access=green,red
status=enabled
#
# cat /etc/shorewall/rules | egrep 20000
ACCEPT loc $FW udp 20000..20050
ACCEPT net $FW udp 20000..20050
#
In Cockpit, I see the result:
If I edit:
Is that a bug in Cockpit ?
Michel-André
dnutan
(Marc)
May 17, 2021, 6:56pm
2
Have you tried with a different syntax, like “:
” as separator?
Hi Marc,
man shorewall-rules
defines ip-range with -, so i tried 20000-20050 for ports and 20000:20050 with no success.
Then I tried with fw_jitsi-toto
and 20000:20050
as fw_jitsi-jigasi
was already there from the command line:
echo '{"action":"service-create","serviceName":"fw_jitsi-toto","access":["green","red"],"tcpPorts":[],"udpPorts":["20000:20050"]}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-services/create | jq
Michel-André
P.S. Strangely enough, fw_jitsi-toto
appears in Cockpit
P.P.S. More strange, I cannot delete it.
echo '{"action":"service-delete","serviceName":"fw_jitsi-toto"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-services/delete | jq
Hi all,
# config show jw_jitsi-toto
#
Recreate it with CLI,
# config set fw_jitsi-toto service status enabled UDPPort 20000..20050 access green,red
#
Now it shows
# config show fw_jitsi-toto
fw_jitsi-toto=service
UDPPort=20000..20050
access=green,red
status=enabled
#
I do not signal with: # signal-event firewall-adjust
I delete it in Cockpit
echo '{"action":"service-delete","serviceName":"fw_jitsi-toto"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-services/delete | jq
At the CLI
# config show fw_jitsi-toto
#
Refresh Cockpit page and fw_jitsi-toto
is not there anymore.
I recreate it at the CLI, signal-event, it shows in cokpit, delete it in Cockpit and it dispappears in Cockpit and at the CLI.
Note: When it shows in Cockpit, I cannot edit it or add a port in TCP… Invalid list of port under UDP.
Michel-André
dnutan
(Marc)
May 17, 2021, 7:58pm
5
When using the command line some (or most) validation checks are not present.
I think the syntax used on the CLI was wrong and that caused the other errors on the cockpit UI (until the wrong service syntax is deleted), but I could we wrong:
ERROR: Invalid/Unknown udp port/service (20000…20050) /etc/shorewall/rules (line 138)
I’ve tried the same command (but without having any real service linked to the ports).
Hi Marc,
Thank you for the follow up.
What happen if at the command line you try:
# config set fw_jitsi-jigasi service status enabled UDPPort 20000..20050 access green,red
#
# signal-event firewall-adjust
#
# config show fw_jitsi-jigasi
fw_jitsi-jigasi=service
UDPPort=20000..20050
access=green,red
status=enabled
#
You should see it in Cockpit; you won’t be able to edit it, but it will be possible to delete it.
The question is:
Is the port range opened ?
Michel-André
stephdl
(Stéphane de Labrusse)
May 17, 2021, 8:27pm
7
stephdl
(Stéphane de Labrusse)
May 17, 2021, 8:32pm
8
Check the info button (i) you can just use a list of ports comma separated
Salut Stéphane,
Thank you for joining in.
It is not for ports fowarding but ports opening so you can access them from the Internet.
For my part, since I am running Jitsi Meet on a LOCAL VM, maybe I will also have to forward those port, but I am not sure if I have to.
For a case where Jitsi Meet is running on a NS server directly attached to the Internet, for sure those ports have to be opened and not necessarily forwarded ?
Info button: Will I have to include 50 ports separated by comma ?
A good admin is a lazy admin, there should be another way…
Michel-André
stephdl
(Stéphane de Labrusse)
May 17, 2021, 8:44pm
11
You are right you can use :
associated with a ,
Hi Marc,
Great find.
in 7.7.1908/testing
:
Member
Test case
Check the bug is not reproducible
gsanchietti closed this on 18 Feb 2020
# rpm -qa | grep nethserver-cockpit
nethserver-cockpit-lib-1.9.5-1.ns7.noarch
nethserver-cockpit-1.9.5-1.ns7.noarch
#
@gsanchietti I am sorry, but the bug is reproducible
Michel-André
dnutan
(Marc)
May 17, 2021, 8:58pm
13
Service is created on cockpit.
Error on logs (/var/log/messages and /var/log/shorewall-init.log):
ERROR: Invalid/Unknown udp port/service (20000…20050) /etc/shorewall/rules (line 138)
Port range not opened.
Service editable from cockpit (if changing the port range format)
Hi Marc,
What format are you using ?
Michel-André
dnutan
(Marc)
May 17, 2021, 9:02pm
16
Initially the wrong one (seeing it from the cockpit side of things) as asked ..
For a correct range :
But with the first test I did I didn’t try to edit or delete the fw_jitsi-jigasi service, but trying to create any other service resulted in a cockpit (jq) error.
1 Like
stephdl
(Stéphane de Labrusse)
May 17, 2021, 9:07pm
17
2000:2500,234,567,678,1000:1500
After that show us the relevant line in /etc/shorewall/rules
Salut Stéphane,
It took some time to execute but finally it finished.
# cat /etc/shorewall/rules | grep stephdl
# Service: fw_stephdl Access: green,red
?COMMENT fw_stephdl
?COMMENT fw_stephdl
?COMMENT fw_stephdl
?COMMENT fw_stephdl
?COMMENT fw_stephdl
#
# config show fw_stephdl
fw_stephdl=service
UDPPorts=2000:2500,234,567,678,1000:1500
access=green,red
status=enabled
#
Test case
Check the bug is not reproducible
@gsanchietti Thousand excuses , you are right, the bug is not reproducible.
I am extremely sorry for wasting your precious time.
Problem my mistake resolved
Michel-André
stephdl
(Stéphane de Labrusse)
May 17, 2021, 9:29pm
19
We miss a lot of things, please show us the complete lines in shorewall
Use a gist file if needed