Hi,
for some reason, I can not (re)start some services. e.g. shorewall does not start after a reboot. Lsm is effected, too.
system-services/update fails, result of
echo ‘{“action”:“start”,“name”:“shorewall”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-services/update | jq
is
“id”: “1614616081”,
“type”: “EventFailed”,
“message”: “Action failed”
any hints?
THX
Thorsten
NethServer Version: 7.9.2009
Module: firewall, lsm
Please check /var/log/messages to get more error details about the failed action.
Mar 1 20:22:01 ebb-s01 systemd: Starting Shorewall IPv4 firewall…
Mar 1 20:22:01 ebb-s01 shorewall: Compiling using Shorewall 5.1.10.2…
Mar 1 20:22:02 ebb-s01 shorewall: Processing /etc/shorewall/params …
Mar 1 20:22:02 ebb-s01 shorewall: Processing /etc/shorewall/shorewall.conf…
Mar 1 20:22:02 ebb-s01 shorewall: Loading Modules…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling /etc/shorewall/zones…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling /etc/shorewall/interfaces…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling /etc/shorewall/hosts…
Mar 1 20:22:02 ebb-s01 shorewall: Determining Hosts in Zones…
Mar 1 20:22:02 ebb-s01 shorewall: Locating Action Files…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling /etc/shorewall/policy…
Mar 1 20:22:02 ebb-s01 shorewall: Running /etc/shorewall/initdone…
Mar 1 20:22:02 ebb-s01 shorewall: Adding Anti-smurf Rules
Mar 1 20:22:02 ebb-s01 shorewall: Adding rules for DHCP
Mar 1 20:22:02 ebb-s01 shorewall: Compiling TCP Flags filtering…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling Kernel Route Filtering…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling Martian Logging…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling MAC Filtration – Phase 1…
Mar 1 20:22:02 ebb-s01 shorewall: Compiling /etc/shorewall/maclist…
Mar 1 20:22:02 ebb-s01 shorewall: ERROR: No hosts on br0 have the maclist option specified /etc/shorewall/maclist (line 22)
Mar 1 20:22:02 ebb-s01 root: ERROR:Shorewall start failed
Mar 1 20:22:02 ebb-s01 systemd: shorewall.service: main process exited, code=exited, status=25/n/a
Mar 1 20:22:02 ebb-s01 systemd: Failed to start Shorewall IPv4 firewall.
Mar 1 20:22:02 ebb-s01 systemd: Unit shorewall.service entered failed state.
Mar 1 20:22:02 ebb-s01 systemd: shorewall.service failed.
Please try to expand the /etc/shorewall/maclist template with
expand-template /etc/shorewall/maclist
to see if there are errors.
It seems you have MAC validation active, you may try to disable it for testing.
OK, MAC validation deactivated, but can not be turned on
signal-event firewall-adjust
runs on command line without error message
OK and in services panel, can you restart it now without error? Is there an error in the messages logfile?
Can you start loolwsd now?
If not, let’s check logfiles again.
No, service panel restart gives another error message:
echo ‘{“action”:“restart”,“name”:“shorewall”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-services/update | jq
{
“id”: “1614630296”,
“type”: “EventFailed”,
“message”: “Action failed”
Mar 1 21:28:46 ebb-s01 systemd: Starting Shorewall IPv4 firewall…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling using Shorewall 5.1.10.2…
Mar 1 21:28:46 ebb-s01 shorewall: Processing /etc/shorewall/params …
Mar 1 21:28:46 ebb-s01 shorewall: Processing /etc/shorewall/shorewall.conf…
Mar 1 21:28:46 ebb-s01 shorewall: Loading Modules…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling /etc/shorewall/zones…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling /etc/shorewall/interfaces…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling /etc/shorewall/hosts…
Mar 1 21:28:46 ebb-s01 shorewall: Determining Hosts in Zones…
Mar 1 21:28:46 ebb-s01 shorewall: WARNING: *** blue is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)
Mar 1 21:28:46 ebb-s01 shorewall: Locating Action Files…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling /etc/shorewall/policy…
Mar 1 21:28:46 ebb-s01 shorewall: Running /etc/shorewall/initdone…
Mar 1 21:28:46 ebb-s01 shorewall: Adding Anti-smurf Rules
Mar 1 21:28:46 ebb-s01 shorewall: Adding rules for DHCP
Mar 1 21:28:46 ebb-s01 shorewall: Compiling TCP Flags filtering…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling Kernel Route Filtering…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling Martian Logging…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling MAC Filtration – Phase 1…
Mar 1 21:28:46 ebb-s01 shorewall: Compiling /etc/shorewall/maclist…
Mar 1 21:28:46 ebb-s01 shorewall: ERROR: No hosts on br0 have the maclist option specified /etc/shorewall/maclist (line 22)
Mar 1 21:28:46 ebb-s01 root: ERROR:Shorewall start failed
Mar 1 21:28:46 ebb-s01 systemd: shorewall.service: main process exited, code=exited, status=25/n/a
Mar 1 21:28:46 ebb-s01 systemd: Failed to start Shorewall IPv4 firewall.
Mar 1 21:28:46 ebb-s01 systemd: Unit shorewall.service entered failed state.
Mar 1 21:28:46 ebb-s01 systemd: shorewall.service failed.
Please post the content of /etc/shorewall/maclist to check it for errors.
restart is possible, but it seems to be unconfigured … what is that service for? Nextcloud colabora?
Yes, it’s nethserver-collabora usable from nethserver-nextcloud.
EDIT:
There’s still a shorewall error.
Please also check if expand-template /etc/shorewall/hosts is working or just post it…
Ok, here is the Maclist:
The duplicate entries @120, 121 and 122 are by intention. These are WLAN and Ethernet-Interaces of HP Laptops. The wlan-Interace is disabled by bios, if the laptop is plugged in. Consequently the laptop has just one IP regardless how it connects to my network. I know this is not “clean” but this is running on NS for about 3 years …
Oh, and I checked for douplicate MAC Adresses using Libreoffice calc - No MAC is in douplicate
|ACCEPT|br0|00:1D:AA:F7:1E:20|172.17.0.1|
|ACCEPT|br0|08:11:96:A0:FC:84|172.17.0.120|
|ACCEPT|br0|EC:9A:74:F5:AA:D6|172.17.0.120|
|ACCEPT|br0|60:67:20:00:58:4E|172.17.0.121|
|ACCEPT|br0|A0:B3:CC:C5:65:41|172.17.0.121|
|ACCEPT|br0|20:10:7A:1A:8E:7C|172.17.0.122|
|ACCEPT|br0|E4:11:5B:45:DA:7B|172.17.0.122|
|ACCEPT|br0|A0:CE:C8:33:50:9D|172.17.0.123|
|ACCEPT|br0|32:46:F0:61:64:E7|172.17.0.13|
|ACCEPT|br0|02:F7:6A:18:01:75|172.17.0.14|
|ACCEPT|br0|A6:65:45:CB:88:D1|172.17.0.15|
|ACCEPT|br0|82:DF:A1:2C:F9:79|172.17.0.150|
|ACCEPT|br0|70:70:0D:20:16:4A|172.17.0.151|
|ACCEPT|br0|18:70:3B:AF:F0:65|172.17.0.152|
|ACCEPT|br0|B8:F6:B1:EB:17:1B|172.17.0.153|
|ACCEPT|br0|70:48:0F:CD:B1:77|172.17.0.154|
|ACCEPT|br0|C0:B6:58:40:37:4E|172.17.0.155|
|ACCEPT|br0|10:4E:89:BC:E7:49|172.17.0.157|
|ACCEPT|br0|92:CC:17:9D:11:69|172.17.0.17|
|ACCEPT|br0|00:11:32:A6:F3:4F|172.17.0.18|
|ACCEPT|br0|46:F4:19:C1:7A:1F|172.17.0.180|
|ACCEPT|br0|92:D9:05:CA:34:32|172.17.0.181|
|ACCEPT|br0|00:11:32:A6:F3:50|172.17.0.19|
|ACCEPT|br0|00:50:7F:F0:F0:96|172.17.0.2|
|ACCEPT|br0|6A:E9:74:9E:F7:EF|172.17.0.225|
|ACCEPT|br0|08:EC:A9:52:FC:98|172.17.0.241|
|ACCEPT|br0|34:12:F9:EF:5C:2D|172.17.0.242|
|ACCEPT|br0|3C:6A:9D:01:07:F1|172.17.0.28|
|ACCEPT|br0|7C:DD:90:FD:0D:F8|172.17.0.29|
|ACCEPT|br0|30:D3:2D:3A:0E:2A|172.17.0.3|
|ACCEPT|br0|00:25:36:96:DD:AC|172.17.0.30|
|ACCEPT|br0|14:8F:21:C3:19:6F|172.17.0.31|
|ACCEPT|br0|AC:CF:23:F1:F3:B2|172.17.0.32|
|ACCEPT|br0|00:80:E1:C9:9A:9B|172.17.0.33|
|ACCEPT|br0|F4:06:8D:CB:01:F0|172.17.0.4|
|ACCEPT|br0|00:0E:58:BC:3C:B2|172.17.0.50|
|ACCEPT|br0|B8:E9:37:88:87:32|172.17.0.51|
|ACCEPT|br0|00:0E:58:9C:E9:AE|172.17.0.52|
|ACCEPT|br0|CC:98:8B:89:20:4C|172.17.0.53|
|ACCEPT|br0|20:C6:EB:3F:6B:E1|172.17.0.54|
|ACCEPT|br0|48:A6:B8:EC:44:6A|172.17.0.55|
|ACCEPT|br0|BC:60:A7:3B:BA:FA|172.17.0.56|
|ACCEPT|br0|60:12:8B:AA:4B:75|172.17.0.57|
|ACCEPT|br0|04:03:D6:53:B7:8E|172.17.0.58|
|ACCEPT|br0|54:84:7B:00:29:76|172.17.0.59|
|ACCEPT|br0|5C:AA:FD:5F:DD:72|172.17.0.60|
|ACCEPT|br0|BC:30:7D:2F:0D:69|172.17.0.61|
|ACCEPT|br0|00:1D:AA:9F:E9:00|172.17.0.7|
|ACCEPT|br0|00:1D:AA:9F:4E:54|172.17.0.8|
|ACCEPT|br0|00:1D:AA:9F:60:7C|172.17.0.9|
expand-template /etc/shorewall/hosts
gives no error
Force GREEN + RED mode with only one interface
loc br0:127.0.0.1/32
loc br0:172.17.0.0/2450objects
Does shorewall start if mac validation is disabled? in this case the /etc/shorewall/maclist should be empty.
all dead hear - NS dns down … dont know what happend - used 8.8.8.8 as a dns manually on the client side to have internet access at all
No, validation was re-enabled, do not know how. at least it was not by intention. Now I am sure that it is disabled and the mac-list is empty
Is it working now, are all services started?
shorewall seems to run and can be restarted, loolwsd is still down
some other services are down, but are obviously not important
OK, let’s check loolwsd log:
cat /var/log/messages | grep lool
