Help needed to reset shorewall

I transfered my nethserver vm to another ProxMox Host, and now I am facing the following problem. To be able to get access to webinterface, I have to issue shorewall clear.

In contrary to the initial host, I now only have one interface on my nethserver (green). So after restore of the backup on the new host, I changed both nics to the only available network vmbr0. Only after issuing shorewall clear I was able connect to the webinterface of nethserver.

As there is only one network I then deleted the red network. As soon as I have done so, I cannot start shorewall anymore, so I need some help please.

To successfullly restart shorewall I added a second nic to the nethserver vm, and assign it to red network. That way shorewall does start again. But again, I only was able to connect after issuing shorewall clear.

I also tried to completely uninstall firewall/shorewall and reinstall but still the same, so I don’t know howto proceed. I surely could reinstall but I don’t want to loose the active directory server, as I did quite some configuration and dont want to re-do so I’d like to keep active directory.

Maybe just remove the firewall?

There’s still a firewall inside nethserver, so no worries…
But maybe the firewall module requires 2 interfaces…


I dont think so as I think I already had a trial setup with only one interface and had firewall installed anyway. I uninstalled firewall and now I regularly get error messages like:

echo ‘{“action”:“remove”,“packages”:[“nethserver-firewall-base”,“nethserver-blacklist”,“nethserver-evebox”,“nethserver-firewall-base-ui”,“nethserver-ipsec-tunnels”,“nethserver-lightsquid”,“nethserver-openvpn”,“nethserver-squid”,“nethserver-squidclamav”,“nethserver-squidguard”,“nethserver-suricata”,“nethserver-vpn-ui”]}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-packages/update | jq

So something has seriously gone wrong. :frowning:

For example, I then uninstalled fail2ban in the webinterface. While it is uninstalled, at the end I get again an error message:

echo ‘{“action”:“remove”,“packages”:[“nethserver-fail2ban”]}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-packages/update | jq

(system-packages/update removal failed)

Is there a way to not only uninstall a package, but also remove all of its configurations? I already have tried to delete /etc/shorewall after uninstallation but that was obviously not enough…

Uninstalling nethserver-antivirus: system-packages/update removal failed (but it is removed):

echo ‘{“action”:“remove”,“packages”:[“nethserver-antivirus”]}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-packages/update | jq …

Can this all have something to do with the fact that that with 2 nic setup nethserver routed everything from green through red network to outside world, while now with only one nic the routing is to the ip of my router, which logically had to be configured as def. gateway on the green nic?

As having read the ip settings are stored in a database so I wonder how the correct steps would be to get rid of the second nic without messing my whole setup. Obviously it does not work within cockpit…

Maybe I should try the old servermanager to see, if it works better there, or if anyone could give me the correct instructions on howto do it in console.

Last but not least - if nothing of the above could be a solution. Would it be possible to preserve the nsdc container and transfer it to a new install so I can reuse configured domain?

I don’t think you can just copy over the nsdc container over to reuse it.

Can you restore the previous condition (With 2 NICs)?
Restore / Snapshot / Whatever…


Sure thats what I am doing all the time trying to find a solution. I also can restore the second nic to get shorewall working again. But then I cannot reach external ressources as red network is a dead end.

And with two nics in order to be able to login with started shorewall I have to issue shorewall clear

No, but then you could with either Interface change the Network config to use only one green network with gateway…


I was not successfull on that either. I will change the title, as aparently the problem is reset shorewall settings. In Nethserver Documentation I found a procedure " Reset network configuration" and followed it. The server worked fine as long as no package is installed that has a shorewall dependency. As soon as I installed Web Proxy & Filter the message is appearing again that shorewall service cannot be started. Furthermore from that moment on as soon as I install a package, I get an error (system-packages/update) failed. As said, the application is installed succesfully but the install finishes with above error message. So I dont think it’s a networking problem, but a problem with shorewall and I’ll need some help from @support to reset it completely.

shorewall debug restart tells me:

ERROR: No hosts on br0 have the maclist option specified /etc/shorewall/maclist (line 22)

In maclist file, I just have the three entries that I have added as ip address reservations in dhcp section:

ACCEPT br0 macadress1 ipadress1
ACCEPT br0 macadress2 ipadress2
ACCEPT br0 macadress3 ipadress3

As I had already tried to reinstall shorewall after having deleted everything in /etc/shorewall what other folders might be related? I will try to find them all like /var/lib/shorewall maybe others and delete them all before re-installing shorewall, maybe that would fix it?

Tried it deleted every folder or file with shorewall in name, but still the same. Is there something else I could try. Are there maybe some db entries somewhere to clean?

Or is there a way to reinstall every package that is already installed to check if that could fix this prob?

By default NethServer allow connection to Cockpit (9090) and NethGUI (980) on all interfaces, even RED, with no Shorewall/firewall rule written into interface.
You can limit if you need the connection from a subnet or a small set of ip addresses, if you want, but it’s manual and done into web interface, without even installing the firewall module
Therefore, if you can reach/route NethServer and NethServer can route you back, you can access.

Did you changed the settings into the Cockpit or NethGUI interface for access to it?
Did you created any firewall rule?
Did you manually setup any shorewall rule outside the firewall interface?

If the answer for all this questions is no, maybe there are some issues into bridging or routing the connection from NethServer to the computer you are using.
And maybe these issues are into the Green configuration (gateway missing? wrong subnet?) or into ProxMox “relation” between your network and the one you’re trying to access.

No, I did not create any firewall or shorewall rules. I doublechecked the network configuration and it is correct, just a fixed ip, netmask, gateway. I also can reach internet, and install packages, ping google, and connect though webinterface as long as:
a) with red interface active - login and issue shorewall clear
b) without red interface it works just fine apart from the fact that shorewall is not able to start

I also come from reinstalling a new nethserver and there it works fine with only one green network. Configured a fixed ip and added our physical router as gateway. The eth0 green network card has a br0 bridge interface as logical inferface. I have to keep that - even if its not necessary as with eth0 without br0 the nsdc domaincontroller container would not start. I reproduced the same network settings on a new install and it works like a charm. installed web proxy & filter thus shorewall was pulled in and is started.

My nethserver with my configured active directory domain was installed on another node and was configured with two nic one for green and one for red network and it was working fine on the first proxmox node. But now, that I made a backup and restored it on a second node, the problems arose. On this second node, there is no second network, so apparently reconfiguring shorewall to a network scenario with only one network, thus deleting the red network and interface makes it somehow impossible for shorewall to start.

All that would not be a real problem, if there would be a possibility to preserve the nsdc container with the domain. I am fighting the whole day with this. If it would be possible to migrate the container with the configured domain to a new nethinstallation I would prefer that, as a new neth installation is done quickly whereas the reconfigure the whole domain would take much more time, which I would like to avoid…

As said, if I add a second nic, to this vm and then configure it to a red interface, shorewall starts up but blocks access from webinterface until I issue shorewall clear. But then nethserver tries to route the traffic to internet from green to red network which is a dead end. Maybe there could be a workaround as adding a routing entry so that nethserver knows to route unknown destinations to the default gateway of the green network (which is our physical router) instead of routing it to red but I don’t know how to setup such a rule, and besides it would be an ugly workaround for a nethserver ready for going productive… :pensive:

I will setup a new active directory domain on a clean nethserver installation, as that way I have a clean solution :slight_smile:

After facing the same problems on a new install, I think that the problem is related to having a nethserver with only one nic.

I did some thinking, and as the problem seems to origin from the fact, that I only had one green interface. So I segmented the /24 lan and assigned a small /29 lan to the red interface where the router ip is part of this network and a /25 lan that was assigned to the green network where the nethserver’s ip will be the gateway. That worked.

You can surely have nethserver with only one NIC. Please, feed that with a full IPv4 configuration :wink:

Well I tried that. I mean ipaddress, subnet mask and gateway is not something very complicated to feed. But as soon as I added something that was dependent on shorewall, for ex. squid or firewall to be able to activate mac filtering fort the clients, the above problems arose and shorewall service was not able to start anymore, and I was not able to fix that with only one nic. Thats when I thought about the above solution which worked for me.

Firewall and Squid are intended only for at least two NICs. If you are in a virtual environment, consider to add a dummy Green, maybe some Howto is published here, if I can recall correctly.
At least one Green is mandatory.

Thanks for confirmation that the source of my problem was a missing nic. Well I read about the dummy nic too, but I think my solution is more elegant, al least it works for me. :slight_smile: