systemctl restart shorewall;systemctl status shorewall
Job for shorewall.service failed because the control process exited with error code. See “systemctl status shorewall.service” and “journalctl -xe” for details.
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/shorewall.service.d
└─blacklist.conf
/usr/lib/systemd/system/shorewall.service.d
└─nethserver-firewall-base.conf
Active: failed (Result: exit-code) since Mi 2021-04-07 09:39:37 CEST; 4ms ago
Process: 21724 ExecStop=/usr/sbin/shorewall $OPTIONS stop (code=exited, status=0/SUCCESS)
Process: 22814 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=255)
Process: 22602 ExecStartPre=/usr/share/nethserver-blacklist/load-ipsets (code=exited, status=0/SUCCESS)
Main PID: 22814 (code=exited, status=255)
Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/maclist…
Compiling /etc/shorewall/blrules…
Compiling /usr/share/shorewall/action.BLACKLIST for chain BLACKLIST…
Compiling /etc/shorewall/rules…
ERROR: Missing destination zone /etc/shorewall/rules (line 88)
shorewall.service: main process exited, code=exited, status=255/n/a
Failed to start Shorewall IPv4 firewall.
Unit shorewall.service entered failed state.
shorewall.service failed.
Checking the rules file around line 88 shows:
#
# 60rules
#
?COMMENT RULE#2
{source:net:ip.prox.mox.host, dest:-, time:-, action:ACCEPT:none}
?COMMENT
I don’t remember where this rule came from. I commented it out, and then the shorewall service does start again. Where would this rule normally be shown?
Should i try to restore the firewall configuration from a backup? Would the rules file be enough in order to compare it with the actual one? I mistrust the firewall config now. And I wonder how to realize a sane config again.
Edit to ask: How would I find /etc/shorewall/rules? Searching for rules filename in restore tab of data-backup does not show anything. Where are the remaining files and folders from /etc? I only see the cron.d subfolder.
And another question - as this rule file should not be changed manually - how can I eliminate this wrong rule/lines? After signal-event firewall-adjust they are back. I don’t find anything under firewall/rules or firewall/local rules.
No, nothing was changed in fact. I was asked to test a package because of the dkim error, I had reported. But even there - I had made a Snapshot as it is a VM in ProxMox, and restored it after the test, so nothing should have changed.
At the moment I am restoring the system disk from a snapshot taken about a week ago. I then will mount it temporary as additional disk, thusI’d need to know which are the files, I should compare.
Hm, apparently this lines were around already 1st april (date of the snapshot), as diff shows:
diff -c /mnt/temp/etc/shorewall/rules /etc/shorewall/rules
*** /mnt/temp/etc/shorewall/rules 2021-03-30 16:39:02.854672474 +0200
— /etc/shorewall/rules 2021-04-07 18:18:42.485595261 +0200
db fwrules show 2
2=rule
Action=accept
Description=
Dst=host;mail.domain.tld
Log=none
Position=2
Service=any
Src=host;prox-hostname.domain.tld
Time=
status=enabled
I’ll boot the restored disk and post the output from there. Hm, initial booting from the backuped disk -> shorewall starting, but issuing a signal-event firewall-adjust now it shows the same problem of shorewall not starting. And also the same rule as above…
In firewall/rules and firewall/local rules I dont see any entry in cockpit. I’ll boot the prod disk again and look if I can see something with old servermanager. Or do you already see whats wrong with the above console output?
Disabling this rule in old servermanager and issuing signal-event firewall-adjust lets shorewall successfully start.
I am not sure why I had made this rule. I recall having had problems with mail notifications from this prox hosting the mailserver (but not from other ProxHosts that successfully delivered notification mails). I will investigate mail notification from ProxMox host to local mailserver vm another day. So I guess the problem is solved. Thanks for your help.
Finally - I’d like to ask some questions raised in this thread for the purpose of learning.
How comes this rule is only visible in old servermanager.
Is it possible to extract single files from the config backups?
Where (backup) are system settings such as /etc located? Apparently /etc is not part of data-backup. Is it in the config backup? And is this browsable so that single files could be opened?
How can a folder from data-backup be restored despite the message of Max. results 500? I think I read once in a post that it is somehow possible in advanced mode.
