Firewall does not start

Shorewall does not start on one of our nethservers.

Check firewall rules shows:

Checking using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/snat…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/maclist…
Checking /etc/shorewall/blrules…
Checking /usr/share/shorewall/action.BLACKLIST for chain BLACKLIST…
Checking /etc/shorewall/rules…
ERROR: Missing destination zone /etc/shorewall/rules (line 88)

What can I do to fix this?

check in the terminal the output of systemctl restart shorewall;systemctl status shorewall

you can check file : /etc/shorewall/rules

and rebuild it by

signal-event firewall-adjust

2 Likes

systemctl restart shorewall;systemctl status shorewall
Job for shorewall.service failed because the control process exited with error code. See “systemctl status shorewall.service” and “journalctl -xe” for details.
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/shorewall.service.d
└─blacklist.conf
/usr/lib/systemd/system/shorewall.service.d
└─nethserver-firewall-base.conf
Active: failed (Result: exit-code) since Mi 2021-04-07 09:39:37 CEST; 4ms ago
Process: 21724 ExecStop=/usr/sbin/shorewall $OPTIONS stop (code=exited, status=0/SUCCESS)
Process: 22814 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=255)
Process: 22602 ExecStartPre=/usr/share/nethserver-blacklist/load-ipsets (code=exited, status=0/SUCCESS)
Main PID: 22814 (code=exited, status=255)

Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/maclist…
Compiling /etc/shorewall/blrules…
Compiling /usr/share/shorewall/action.BLACKLIST for chain BLACKLIST…
Compiling /etc/shorewall/rules…
ERROR: Missing destination zone /etc/shorewall/rules (line 88)
shorewall.service: main process exited, code=exited, status=255/n/a
Failed to start Shorewall IPv4 firewall.
Unit shorewall.service entered failed state.
shorewall.service failed.

Checking the rules file around line 88 shows:
#
# 60rules
#
?COMMENT RULE#2
{source:net:ip.prox.mox.host, dest:-, time:-, action:ACCEPT:none}

?COMMENT

I don’t remember where this rule came from. I commented it out, and then the shorewall service does start again. Where would this rule normally be shown?

Should i try to restore the firewall configuration from a backup? Would the rules file be enough in order to compare it with the actual one? I mistrust the firewall config now. And I wonder how to realize a sane config again. :confused:

Edit to ask: How would I find /etc/shorewall/rules? Searching for rules filename in restore tab of data-backup does not show anything. Where are the remaining files and folders from /etc? I only see the cron.d subfolder.

Or is /etc/* part of the config backups? And if so - are these accessible/browsable somehow? I don’t want to just do a config restore…

If all else fails, I also have daily zfs snapshots.

And another question - as this rule file should not be changed manually - how can I eliminate this wrong rule/lines? After signal-event firewall-adjust they are back. I don’t find anything under firewall/rules or firewall/local rules.

Was a network card removed from the installation?

No, nothing was changed in fact. I was asked to test a package because of the dkim error, I had reported. But even there - I had made a Snapshot as it is a VM in ProxMox, and restored it after the test, so nothing should have changed.

At the moment I am restoring the system disk from a snapshot taken about a week ago. I then will mount it temporary as additional disk, thusI’d need to know which are the files, I should compare.

Hm, apparently this lines were around already 1st april (date of the snapshot), as diff shows:
diff -c /mnt/temp/etc/shorewall/rules /etc/shorewall/rules
*** /mnt/temp/etc/shorewall/rules 2021-03-30 16:39:02.854672474 +0200
— /etc/shorewall/rules 2021-04-07 18:18:42.485595261 +0200


*** 84,93 ****

60rules

! ?COMMENT RULE#2
! {source:net:a.b.c.d, dest:-, time:-, action:ACCEPT:none}

! ?COMMENT

— 84,93 ----

60rules

! ##?COMMENT RULE#2
! ##{source:net:a.b.c.d, dest:-, time:-, action:ACCEPT:none}

! ##?COMMENT

where a.b.c.d is the ip of the ProxMox Server

check if you have some rule created on the firewall (cockpit or old server-manager).

The invalid rule has no destination zone (dest:-)

Or you can check from command line:

db fwrules show 2
1 Like

db fwrules show 2
2=rule
Action=accept
Description=
Dst=host;mail.domain.tld
Log=none
Position=2
Service=any
Src=host;prox-hostname.domain.tld
Time=
status=enabled

I’ll boot the restored disk and post the output from there. Hm, initial booting from the backuped disk -> shorewall starting, but issuing a signal-event firewall-adjust now it shows the same problem of shorewall not starting. And also the same rule as above…

In firewall/rules and firewall/local rules I dont see any entry in cockpit. I’ll boot the prod disk again and look if I can see something with old servermanager. Or do you already see whats wrong with the above console output?

Maybe a missing firewall object (host) you created earlier?

1 Like

Interestingly I can see a rule but only in old servermanager.

Especially as I don’t ever use the old servermanager to configure the system.

The host object proxhostname.domain.tld exists under cockpit/firewall/objects/hosts. But not the rule neither in rules nor in local rules

Related to the limitation of cockpit regarding ANY usage? I think it was addressed later.

1 Like

Disabling this rule in old servermanager and issuing signal-event firewall-adjust lets shorewall successfully start.

I am not sure why I had made this rule. I recall having had problems with mail notifications from this prox hosting the mailserver (but not from other ProxHosts that successfully delivered notification mails). I will investigate mail notification from ProxMox host to local mailserver vm another day. So I guess the problem is solved. Thanks for your help.

Finally - I’d like to ask some questions raised in this thread for the purpose of learning.

  • How comes this rule is only visible in old servermanager.
  • Is it possible to extract single files from the config backups?
  • Where (backup) are system settings such as /etc located? Apparently /etc is not part of data-backup. Is it in the config backup? And is this browsable so that single files could be opened?
  • How can a folder from data-backup be restored despite the message of Max. results 500? I think I read once in a post that it is somehow possible in advanced mode.

few chances by hazard, probably a human cause

I think yes, it is a tar.gz of the /var/lib/nethserver/db/ and the list of installed rpm

check /etc/backup-data.d/ for the list of inclusion/exclusion or the cockpit configuration of backup

no idea

1 Like

Don’t know. The limit is hard-coded. The message suggest to refine the search (Advanced mode supports regular expressions):


1 Like

Found this reply. I knew, i had shortly somewhere read about it. :slight_smile:

1 Like