Firewall not start

shorewall
firewall
v7

(Sergey) #1

NethServer Version: NethServer release 7.5.1804 (final)
Module: Nethserver-firewall-basic
Hello. I have new installation nethserver over centos 7.
i install only basic firewall and have this truoble:
Check firewall rules
The firewall is NOT running
click on check
Check firewall rules
Checking using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Checking /etc/shorewall/hosts…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/conntrack…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /etc/shorewall/stoppedrules…
Shorewall configuration verified

if i try change any firewall rule, i have this:
Task completed with errors
Configuring shorewall #29 (exit status 1)
Shorewall adjust failed


(Sergey) #2

in ssh
shorewall start
Compiling using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Compiling /etc/shorewall/zones…
Compiling /etc/shorewall/interfaces…
Compiling /etc/shorewall/hosts…
Determining Hosts in Zones…
Locating Action Files…
Compiling /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/rules…
Compiling /etc/shorewall/conntrack…
Compiling MAC Filtration – Phase 2…
Applying Policies…
Generating Rule Matrix…
Optimizing Ruleset…
Creating iptables-restore input…
Compiling /etc/shorewall/stoppedrules…
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall…
Initializing…
Processing /etc/shorewall/init …
Processing /etc/shorewall/tcclear …
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Proxy ARP…
Setting up Traffic Control…
Processing /etc/shorewall/tcstart …
FireQOS 3.1.5
© 2013-2014 Costa Tsaousis, GPL

Clearing all QoS on all interfaces…

         sit0: cleared traffic control
      ip6tnl0: cleared traffic control
         ifb0: cleared traffic control
        teql0: cleared traffic control
       dummy0: cleared traffic control
        bond0: cleared traffic control
         ifb1: cleared traffic control
      gretap0: cleared traffic control
        tunl0: cleared traffic control
         eth0: cleared traffic control
         gre0: cleared traffic control
  • removed all IFB devices
  • cleared FireQOS status
    FireQOS 3.1.5
    © 2013-2014 Costa Tsaousis, GPL

Traffic is classified:

  - on 0 interfaces
  - to 0 classes
  - by 0 FireQOS matches

0 TC commands executed

All Done! Enjoy…
bye…
Preparing iptables-restore input…
Running /sbin/iptables-restore --wait 60…
iptables-restore: line 29 failed
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop …
Processing /etc/shorewall/tcclear …
Preparing iptables-restore input…
Running /sbin/iptables-restore --wait 60…
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped …
/usr/share/shorewall/lib.common: line 93: 19151 Terminated $SHOREWALL_SHELL $script $options $@

what wrong. i would like start shorewall but i cannot
systemctl status shorewall -l
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/shorewall.service.d
└─nethserver-firewall-base.conf
Active: failed (Result: exit-code) since Mon 2018-06-25 10:51:21 MSK; 1min 55s ago
Main PID: 18714 (code=exited, status=143)

Jun 25 10:51:21 srv.postos.org shorewall[18714]: Processing /etc/shorewall/tcclear …
Jun 25 10:51:21 srv.postos.org shorewall[18714]: Preparing iptables-restore input…
Jun 25 10:51:21 srv.postos.org shorewall[18714]: Running /sbin/iptables-restore --wait 60…
Jun 25 10:51:21 srv.postos.org shorewall[18714]: IPv4 Forwarding Enabled
Jun 25 10:51:21 srv.postos.org shorewall[18714]: Processing /etc/shorewall/stopped …
Jun 25 10:51:21 srv.postos.org shorewall[18714]: /usr/share/shorewall/lib.common: line 93: 18767 Terminated $SHOREWALL_SHELL $script $options $@
Jun 25 10:51:21 srv.postos.org systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a
Jun 25 10:51:21 srv.postos.org systemd[1]: Failed to start Shorewall IPv4 firewall.
Jun 25 10:51:21 srv.postos.org systemd[1]: Unit shorewall.service entered failed state.
Jun 25 10:51:21 srv.postos.org systemd[1]: shorewall.service failed.


(Markus Neuberger) #3

Hi @Sergey,

I could not reproduce the problem. Do you have some active firewall rules? If yes, could you post a screenshot?

You may check /var/lib/shorewall/.iptables-restore-input for hints.

Maybe debug restart shows more info:

shorewall debug restart

http://shorewall.org/troubleshoot.htm


(Sergey) #4


here screen of my firewall rules.

here iptables-restore-input file:
Last login: Mon Jun 25 20:21:25 on console
iMac:~ sava099$ ssh root@srv.postos.org -p 44022
The authenticity of host ‘[srv.postos.org]:44022 ([198.100.147.33]:44022)’ can’t be established.
ECDSA key fingerprint is SHA256:kS4n/saFZpJSYA0wmxmzj2kyfuL60CoPmvHz/p0sI9E.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[srv.postos.org]:44022,[198.100.147.33]:44022’ (ECDSA) to the list of known hosts.
root@srv.postos.org’s password:
Last login: Mon Jun 25 13:47:37 2018 from 77.105.161.38

************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

[root@srv ~]# nano /var/lib/shorewall/.iptables-restore-input

GNU nano 2.3.1 File: /var/lib/shorewall/.iptables-restore-input

Generated by Shorewall 5.1.10.2 - Mon Jun 25 13:40:49 MSK 2018

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p 17 --dport 10080 -j CT --helper amanda
-A PREROUTING -p 6 --dport 21 -j CT --helper ftp
-A PREROUTING -p 17 --dport 1719 -j CT --helper RAS
-A PREROUTING -p 6 --dport 1720 -j CT --helper Q.931
-A PREROUTING -p 6 --dport 6667 -j CT --helper irc
-A PREROUTING -p 17 --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p 6 --dport 1723 -j CT --helper pptp
-A PREROUTING -p 6 --dport 6566 -j CT --helper sane
-A PREROUTING -p 17 --dport 5060 -j CT --helper sip
-A PREROUTING -p 17 --dport 161 -j CT --helper snmp
-A PREROUTING -p 17 --dport 69 -j CT --helper tftp
-A OUTPUT -p 17 --dport 10080 -j CT --helper amanda
-A OUTPUT -p 6 --dport 21 -j CT --helper ftp
-A OUTPUT -p 17 --dport 1719 -j CT --helper RAS
-A OUTPUT -p 6 --dport 1720 -j CT --helper Q.931
-A OUTPUT -p 6 --dport 6667 -j CT --helper irc
-A OUTPUT -p 17 --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p 6 --dport 1723 -j CT --helper pptp
-A OUTPUT -p 6 --dport 6566 -j CT --helper sane
-A OUTPUT -p 17 --dport 5060 -j CT --helper sip
-A OUTPUT -p 17 --dport 161 -j CT --helper snmp
-A OUTPUT -p 17 --dport 69 -j CT --helper tftp
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j MARK --set-mark 0/0xf0000
COMMIT
*filter
:INPUT DROP [0:0]
[ Read 148 lines ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Text ^T To Spell

shorewall debug restart

shorewall debug restart
Compiling using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Compiling /etc/shorewall/zones…
Compiling /etc/shorewall/interfaces…
Compiling /etc/shorewall/hosts…
Determining Hosts in Zones…
Locating Action Files…
Compiling /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/rules…
Compiling /etc/shorewall/conntrack…
Compiling MAC Filtration – Phase 2…
Applying Policies…
Generating Rule Matrix…
Optimizing Ruleset…
Creating iptables-restore input…
Compiling /etc/shorewall/stoppedrules…
Shorewall configuration compiled to /var/lib/shorewall/.restart
Shorewall is not running
Starting Shorewall…
Initializing…
Processing /etc/shorewall/init …
Processing /etc/shorewall/tcclear …
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Proxy ARP…
Setting up Traffic Control…
Processing /etc/shorewall/tcstart …
FireQOS 3.1.5
© 2013-2014 Costa Tsaousis, GPL

Clearing all QoS on all interfaces…

         sit0: cleared traffic control
      ip6tnl0: cleared traffic control
         ifb0: cleared traffic control
        teql0: cleared traffic control
       dummy0: cleared traffic control
        bond0: cleared traffic control
         ifb1: cleared traffic control
      gretap0: cleared traffic control
        tunl0: cleared traffic control
         eth0: cleared traffic control
         gre0: cleared traffic control
  • removed all IFB devices
  • cleared FireQOS status
    FireQOS 3.1.5
    © 2013-2014 Costa Tsaousis, GPL

Traffic is classified:

  - on 0 interfaces
  - to 0 classes
  - by 0 FireQOS matches

0 TC commands executed

All Done! Enjoy…
bye…
Preparing iptables-restore input…
Running debug_restore_input…
iptables: No chain/target/match by that name.
ERROR: Command “/sbin/iptables --wait -t raw -A PREROUTING -p 17 --dport 10080 -j CT --helper amanda” Failed
Processing /etc/shorewall/stop …
Processing /etc/shorewall/tcclear …
Preparing iptables-restore input…
Running debug_restore_input…
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped …
/usr/share/shorewall/lib.common: line 93: 17385 Terminated $SHOREWALL_SHELL $script $options $@


(Markus Neuberger) #5

Is your system updated?

yum -y update

Does the problem persist after reboot? Maybe you are running an older kernel…


(Sergey) #6

Yes all update


(Markus Neuberger) #7

Did you reboot? You may try another kernel. Do you have DHCP on green interface?


(Sergey) #8

Yes, i reboot not one times. More times.
I have 4.9 kernel, do you think here problem?
Dhcp i m not use


(Markus Neuberger) #9

Maybe. Please try the 3.10.0-862.3.3.el7.x86_64 kernel.


(Sergey) #10

Ok i try reinstall system


(Sergey) #11

kernel 3.10 and it is working. thank you.


(Filippo Carletti) #12

Probably yes, the problems come from the kernel.
To optimize for speed, nethserver uses hard-coded shorewall capabilities linked to the kernel.
If you change to a kernel with different capabilities you should “tell” shorewall with:

shorewall show -f capabilities > /etc/shorewall/capabilities

Different capabilities also imply that some features may not work.