Shorewall - Error (6010) in the line 20


(Rodrigo Vieira Da Costa) #1


In my servers, shorewall present the error:

When the line 20 is removed, and service shorewall is restarted, this service run.

What is it?

(James Nesbitt) #2

What is on line 20 in the /etc/shorewall/stoppedrules file?

(Rodrigo Vieira Da Costa) #3

(James Nesbitt) #4

Having the number 6010 there on its own does not look correct.

If you removed that line 20, I assume the shorewall reload works fine?

(Rodrigo Vieira Da Costa) #5

yes! works fine! but only in server with the web proxy is configured… in other services, like only vm server, the service is run perfectly

(James Nesbitt) #6

Not sure what it putting that value in there to be honest, haven’t seen that occur before.

(Rodrigo Vieira Da Costa) #7

Okay, I just saw it happen recently in 03 servers that I installed … I’m also seeing the relationship with shorewall … I do not have anything configured as a 6010 port, I’m still researching a solution. Thank you!

(Marc) #8

Does this command returns anything:

netstat -tunap |grep 6010

Do you use X11 forwarding with ssh?

(Rodrigo Vieira Da Costa) #9

Yes, the X11 is actived

(Marc) #10

What’s the outcome of:

ss -nlp4t | grep sshd

(Rodrigo Vieira Da Costa) #11

(Marc) #12

cc/ @davidep @giacomo
The bug is in this script:

(Rodrigo Vieira Da Costa) #13

wow!!! great, man!!

How do we fix the bug and send the patch to the developers of nethserver?

(Marc) #14

Mmm… Good question. :sweat_smile: I don’t know the answer so I ask the same.

Do you want X11 forwarding available when the firewall is stopped/restarting?

stoppedrules — The Shorewall file that governs what traffic flows through the firewall while it is in the ‘stopped’ state.

What’s the outcome of:

echo `ss -nlp4t | grep sshd  | awk '{print \$4}' | cut -d':' -f 2`

P.S. Sorry, I don’t have x11 forwarding set up for testing

(Rodrigo Vieira Da Costa) #15

(Marc) #16

I don’t know much Perl but seems an easy fix is possible.
Maybe set ssh_port to an array and wrap the if statement within a (foreach) loop.
Do you have some experience with?

(Rodrigo Vieira Da Costa) #17

I Go Try modify the script…

(Filippo Carletti) #18

Great finding, a really nasty bug.
I’d change the code like:

ss -nlp4t | grep sshd | grep -v 127\.0\.0\.1 | awk '{print $4}' | cut -d':' -f 2

to filter out sshd listening on localhost from X forwarding.

(Filippo Carletti) #19

I did a test, replicated the problem and verified the fix.
Expect an update next week. Mean while you can keep your file modified as I suggested.

(Rodrigo Vieira Da Costa) #20

thanks, Filippo!! Great Help, Man!!!
Nethserver is a wonderful Linux Solution! Powerfull!!!