Please post the content of /etc/shorewall/maclist to check it for errors.
restart is possible, but it seems to be unconfigured … what is that service for? Nextcloud colabora?
Yes, it’s nethserver-collabora usable from nethserver-nextcloud.
EDIT:
There’s still a shorewall error.
Please also check if expand-template /etc/shorewall/hosts is working or just post it…
Ok, here is the Maclist:
The duplicate entries @120, 121 and 122 are by intention. These are WLAN and Ethernet-Interaces of HP Laptops. The wlan-Interace is disabled by bios, if the laptop is plugged in. Consequently the laptop has just one IP regardless how it connects to my network. I know this is not “clean” but this is running on NS for about 3 years …
Oh, and I checked for douplicate MAC Adresses using Libreoffice calc - No MAC is in douplicate
|ACCEPT|br0|00:1D:AA:F7:1E:20|172.17.0.1|
|ACCEPT|br0|08:11:96:A0:FC:84|172.17.0.120|
|ACCEPT|br0|EC:9A:74:F5:AA:D6|172.17.0.120|
|ACCEPT|br0|60:67:20:00:58:4E|172.17.0.121|
|ACCEPT|br0|A0:B3:CC:C5:65:41|172.17.0.121|
|ACCEPT|br0|20:10:7A:1A:8E:7C|172.17.0.122|
|ACCEPT|br0|E4:11:5B:45:DA:7B|172.17.0.122|
|ACCEPT|br0|A0:CE:C8:33:50:9D|172.17.0.123|
|ACCEPT|br0|32:46:F0:61:64:E7|172.17.0.13|
|ACCEPT|br0|02:F7:6A:18:01:75|172.17.0.14|
|ACCEPT|br0|A6:65:45:CB:88:D1|172.17.0.15|
|ACCEPT|br0|82:DF:A1:2C:F9:79|172.17.0.150|
|ACCEPT|br0|70:70:0D:20:16:4A|172.17.0.151|
|ACCEPT|br0|18:70:3B:AF:F0:65|172.17.0.152|
|ACCEPT|br0|B8:F6:B1:EB:17:1B|172.17.0.153|
|ACCEPT|br0|70:48:0F:CD:B1:77|172.17.0.154|
|ACCEPT|br0|C0:B6:58:40:37:4E|172.17.0.155|
|ACCEPT|br0|10:4E:89:BC:E7:49|172.17.0.157|
|ACCEPT|br0|92:CC:17:9D:11:69|172.17.0.17|
|ACCEPT|br0|00:11:32:A6:F3:4F|172.17.0.18|
|ACCEPT|br0|46:F4:19:C1:7A:1F|172.17.0.180|
|ACCEPT|br0|92:D9:05:CA:34:32|172.17.0.181|
|ACCEPT|br0|00:11:32:A6:F3:50|172.17.0.19|
|ACCEPT|br0|00:50:7F:F0:F0:96|172.17.0.2|
|ACCEPT|br0|6A:E9:74:9E:F7:EF|172.17.0.225|
|ACCEPT|br0|08:EC:A9:52:FC:98|172.17.0.241|
|ACCEPT|br0|34:12:F9:EF:5C:2D|172.17.0.242|
|ACCEPT|br0|3C:6A:9D:01:07:F1|172.17.0.28|
|ACCEPT|br0|7C:DD:90:FD:0D:F8|172.17.0.29|
|ACCEPT|br0|30:D3:2D:3A:0E:2A|172.17.0.3|
|ACCEPT|br0|00:25:36:96:DD:AC|172.17.0.30|
|ACCEPT|br0|14:8F:21:C3:19:6F|172.17.0.31|
|ACCEPT|br0|AC:CF:23:F1:F3:B2|172.17.0.32|
|ACCEPT|br0|00:80:E1:C9:9A:9B|172.17.0.33|
|ACCEPT|br0|F4:06:8D:CB:01:F0|172.17.0.4|
|ACCEPT|br0|00:0E:58:BC:3C:B2|172.17.0.50|
|ACCEPT|br0|B8:E9:37:88:87:32|172.17.0.51|
|ACCEPT|br0|00:0E:58:9C:E9:AE|172.17.0.52|
|ACCEPT|br0|CC:98:8B:89:20:4C|172.17.0.53|
|ACCEPT|br0|20:C6:EB:3F:6B:E1|172.17.0.54|
|ACCEPT|br0|48:A6:B8:EC:44:6A|172.17.0.55|
|ACCEPT|br0|BC:60:A7:3B:BA:FA|172.17.0.56|
|ACCEPT|br0|60:12:8B:AA:4B:75|172.17.0.57|
|ACCEPT|br0|04:03:D6:53:B7:8E|172.17.0.58|
|ACCEPT|br0|54:84:7B:00:29:76|172.17.0.59|
|ACCEPT|br0|5C:AA:FD:5F:DD:72|172.17.0.60|
|ACCEPT|br0|BC:30:7D:2F:0D:69|172.17.0.61|
|ACCEPT|br0|00:1D:AA:9F:E9:00|172.17.0.7|
|ACCEPT|br0|00:1D:AA:9F:4E:54|172.17.0.8|
|ACCEPT|br0|00:1D:AA:9F:60:7C|172.17.0.9|
expand-template /etc/shorewall/hosts
gives no error
Force GREEN + RED mode with only one interface
loc br0:127.0.0.1/32
loc br0:172.17.0.0/2450objects
Does shorewall start if mac validation is disabled? in this case the /etc/shorewall/maclist should be empty.
all dead hear - NS dns down … dont know what happend - used 8.8.8.8 as a dns manually on the client side to have internet access at all
No, validation was re-enabled, do not know how. at least it was not by intention. Now I am sure that it is disabled and the mac-list is empty
Is it working now, are all services started?
shorewall seems to run and can be restarted, loolwsd is still down
some other services are down, but are obviously not important
OK, let’s check loolwsd log:
cat /var/log/messages | grep lool
Whatever I do:
DHCP - Change a host description / MAC adresse / IP on
DNS - Add a DNS Record
Firewall - Change any setting
Web Proxy / VHost - Change something thereout
I get an error on the firewall.
Here is a typcial error message:
Or in the old server manager:
Aufgabe mit Fehler abgeschlossen
Configuring shorewall #43 (Exit Status 1)
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
WARNING: *** blue is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/maclist...
ERROR: No hosts on br0 have the maclist option specified /etc/shorewall/maclist (line 22)
I copy the command and paste it to putty terminal:
echo ‘{“action”:“update-reservation”,“name”:“Ebb-H01”,“MacAddress”:“00:09:52:01:cf:88”,“IpAddress”:“172.17.0.20”,“Description”:“Auerswald TK Anlage”}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-dhcp/update | jq
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: OLD Ebb-H01=local|Description|Auerswald TK Anlage|IpAddress|172.17.0.20|MacAddress|00:09:52:01:cf:88
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: NEW Ebb-H01=local
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: OLD Ebb-H01=local
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: NEW Ebb-H01=local|Description|Auerswald TK Anlage
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: OLD Ebb-H01=local|Description|Auerswald TK Anlage
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: NEW Ebb-H01=local|Description|Auerswald TK Anlage|IpAddress|172.17.0.20
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: OLD Ebb-H01=local|Description|Auerswald TK Anlage|IpAddress|172.17.0.20
Mar 8 17:56:02 ebb-s01 /sbin/e-smith/db[4402]: /var/lib/nethserver/db/hosts: NEW Ebb-H01=local|Description|Auerswald TK Anlage|IpAddress|172.17.0.20|MacAddress|00:09:52:01:cf:88
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: Event: host-modify
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: expanding /etc/hosts
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: expanding /etc/dnsmasq-dhcp-hosts
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: expanding /etc/dnsmasq.conf
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: expanding /etc/cockpit-user/cockpit/cockpit.conf
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: expanding /etc/httpd/conf.d/default-virtualhost.inc
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.236361]
Mar 8 17:56:02 ebb-s01 systemd: Reloading.
Mar 8 17:56:02 ebb-s01 systemd: [/usr/lib/systemd/system/netdata.service:72] Unknown lvalue ‘ProtectControlGroups’ in section ‘Service’
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: [INFO] service dnsmasq restart
Mar 8 17:56:02 ebb-s01 systemd: Stopping DNS caching server…
Mar 8 17:56:02 ebb-s01 dnsmasq[2602]: exiting on receipt of SIGTERM
Mar 8 17:56:02 ebb-s01 systemd: Stopped DNS caching server…
Mar 8 17:56:02 ebb-s01 systemd: Starting DNS caching server…
Mar 8 17:56:02 ebb-s01 systemd: Started DNS caching server…
Mar 8 17:56:02 ebb-s01 esmith::event[4403]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.37141]
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: started, version 2.76 cachesize 4000
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth nettlehash no-DNSSEC loop-detect inotify
Mar 8 17:56:02 ebb-s01 dnsmasq-dhcp[4440]: DHCP, IP range 172.17.0.200 – 172.17.0.240, lease time 1d
Mar 8 17:56:02 ebb-s01 dnsmasq-tftp[4440]: TFTP root is /var/lib/tftpboot
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: using nameserver 172.17.0.13#53 for domain ad.myserver.tld
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: using nameserver 8.8.4.4#53
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: using nameserver 146.228.101.20#53
Mar 8 17:56:02 ebb-s01 dnsmasq[4440]: read /etc/hosts - 68 addresses
Mar 8 17:56:02 ebb-s01 dnsmasq-dhcp[4440]: read /etc/dnsmasq-dhcp-hosts
Mar 8 17:56:02 ebb-s01 esmith::event[4442]: Event: nethserver-firewall-base-save host-modify
Mar 8 17:56:02 ebb-s01 esmith::event[4442]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S02providers-cleanup SUCCESS [0.08466]
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/firehol/fireqos.conf
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/lsm/lsm.conf
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/actions
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/blrules
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/conntrack
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/findgw
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/helpers
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/hosts
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/initdone
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/interfaces
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/maclist
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/mangle
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/masq
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/modules
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/nat
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/policy
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/providers
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/rtrules
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/rules
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/shorewall.conf
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/snat
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/stopped
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/stoppedrules
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/tcinterfaces
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/tcpri
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/tunnels
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/shorewall/zones
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /etc/fail2ban/jail.local
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: expanding /var/www/html/wpad.dat
Mar 8 17:56:03 ebb-s01 esmith::event[4442]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.66772]
Mar 8 17:56:03 ebb-s01 systemd: Reloading.
Mar 8 17:56:03 ebb-s01 systemd: [/usr/lib/systemd/system/netdata.service:72] Unknown lvalue ‘ProtectControlGroups’ in section ‘Service’
Mar 8 17:56:04 ebb-s01 root: ERROR:Shorewall restart failed
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: [ERROR] Shorewall restart: Compiling using Shorewall 5.1.10.2…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Processing /etc/shorewall/params …
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Processing /etc/shorewall/shorewall.conf…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Loading Modules…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling /etc/shorewall/zones…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling /etc/shorewall/interfaces…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling /etc/shorewall/hosts…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Determining Hosts in Zones…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Locating Action Files…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling /etc/shorewall/policy…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Running /etc/shorewall/initdone…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Adding Anti-smurf Rules
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Adding rules for DHCP
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling TCP Flags filtering…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling Kernel Route Filtering…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling Martian Logging…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling MAC Filtration – Phase 1…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Compiling /etc/shorewall/maclist…
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: ERROR: No hosts on br0 have the maclist option specified /etc/shorewall/maclist (line 22)
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart FAILED: 1 [0.679502]
Mar 8 17:56:04 ebb-s01 systemd: Reloading.
Mar 8 17:56:04 ebb-s01 systemd: [/usr/lib/systemd/system/netdata.service:72] Unknown lvalue ‘ProtectControlGroups’ in section ‘Service’
Mar 8 17:56:04 ebb-s01 esmith::event[4442]: [INFO] service fail2ban restart
Mar 8 17:56:04 ebb-s01 systemd: Stopping Fail2Ban Service…
Mar 8 17:56:05 ebb-s01 fail2ban-client: Shutdown successful
Mar 8 17:56:05 ebb-s01 systemd: Stopped Fail2Ban Service.
Mar 8 17:56:05 ebb-s01 systemd: Starting Fail2Ban Service…
Mar 8 17:56:05 ebb-s01 systemd: Started Fail2Ban Service.
Mar 8 17:56:05 ebb-s01 systemd: Reloading.
Mar 8 17:56:05 ebb-s01 systemd: [/usr/lib/systemd/system/netdata.service:72] Unknown lvalue ‘ProtectControlGroups’ in section ‘Service’
Mar 8 17:56:05 ebb-s01 esmith::event[4442]: [INFO] service lsm is disabled: skipped
Mar 8 17:56:05 ebb-s01 esmith::event[4442]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.369072]
Mar 8 17:56:05 ebb-s01 esmith::event[4442]: Event: nethserver-firewall-base-save FAILED
Mar 8 17:56:05 ebb-s01 esmith::event[4403]: Action: /etc/e-smith/events/host-modify/S95firewall-adjust FAILED: 1 [2.87939]
Mar 8 17:56:05 ebb-s01 esmith::event[4403]: Event: host-modify FAILED
Mar 8 17:56:06 ebb-s01 fail2ban-server: Server ready
Seems the same error Dominik dealt with:
I found this note explaining what can cause the error:
ERROR: No hosts on <interface> have the maclist option specified
The named <interface> appears in a record in/etc/shorewall/maclistyet that interface’s record in/etc/shorewall/interfacesdoes not specify the maclist option and no record in/etc/shorewall/hoststhat names that interface includes the maclist option.
Value comes from upstream netdata package. It is a safety measure regarding access to cgroups. Probably just a warning and not a show stopper. Regardless, temporarily commenting that line in the service file and restarting the service will give you a conclusive answer.
1 Like
Hi Mark,
thank you in advance, will give it a try. But, sorry, What line do you mean to comment out in which file?
TIA
Thorsten
I guess this is not a problem (not a show stopper), but if you want to make sure…
I think these could be the steps but haven’t checked them:
ls /etc/systemd/system/netdata.service\*
# probably empty result
systemctl edit --full netdata.service
#comment line 72, the one saying ProtectControlGroups...
# save and close file edition
systemctl daemon-reload
To revert the changes:
ls /etc/systemd/system/netdata.service\*
rm /etc/systemd/system/netdata.service
systemctl daemon-reload
Main problem could be the one related to the maclist (see previous description).
Sorry, no impact observed - errors are still the same - however there was a cleanup-file in /etc/systemd/system/netdata.service.d which I left unchanged.
Also I editted netdata.service directly instead of systemctl edit including subsequent restart of service
Does the server have two network interfaces (act as gateway) ?
“yes and no”:
- I never had a red interface on the server, but firewall was working
- I added a red interface for trial purposes but it did not work either
- firewall functionality is not only required for green / blue / orange / red interface, but also for MAC validation (which is / was on the green internet): It does e.g. check the existence of an IP if you try to assign it to a MAC address.
TIA
Thorsten
1 Like
This is getting even more wired - now it looks like the DHCP does not work correctly:
Today I got a new monitor with a USB-C docking station. I removed the old usb-C dock from the network and attached my laptop to the monitor. Then I removed the ethernet cable from the old dock to the new dock. Consequently my laptops gets a new IP, this time as it is leased instead of assigned by mac. Now I wanted to changed the MAC for the IP assignement from the old doc to the new dock. It does not work. My laptop does not change the IP and on Nethserver now there are two Mac-Adresses for one IP - I can not delete the old on. It starts to re-appear again and again.
But the dock is removed!!!
TIA
Thorsten
You may remove the host on command line:
Show hosts:
db hosts show
Delete:
db hosts delete <HOSTNAME>
Apply config:
signal-event nethserver-dnsmasq-save
Maybe you need to change/remove leases, they are saved in /var/lib/dnsmasq/dnsmasq.leases. To edit the leases, stop the dnsmasq service, edit the file and start the service again.
1 Like