Shorewall wont start

alpreseidente · June 14, 2023, 12:06pm

any thoughts please folks?

alpreseidente · June 14, 2023, 12:14pm

Hardware

QEMU Standard PC (i440FX + PIIX, 1996)

CPU

Common KVM processor x 4

Kernel Release

3.10.0-1160.90.1.el7.x86_64

Operating System

NethServer release 7.9.2009 (final)

dnutan · June 14, 2023, 12:39pm

What’s on line 53 of /etc/shorewall/mangle ?
Any recent firewall rule or custom template?

alpreseidente · June 14, 2023, 12:45pm

Hi Dnutan
Ive made no changes in recallable history

alpreseidente · June 14, 2023, 12:48pm

alpreseidente · June 14, 2023, 12:49pm

appologies here is /etc/shorewall/mangle
no changes of any type made to firewall in last 6 months

dnutan · June 14, 2023, 1:39pm

db fwrules show 18

alpreseidente · June 14, 2023, 1:50pm

dnutan · June 14, 2023, 2:14pm

Does the host object exist (with an IP address)?

db hosts show cwoffiste.ddns.net

alpreseidente · June 14, 2023, 4:11pm

[root@cwprod10v01 ~]# db hosts show cwoffsite.ddns.net
cwoffsite.ddns.net=host
Description=dynamic dns used for offsite edinburgh
IpAddress=;;
be=reached
connection=timed
out;=no
servers=could
[root@cwprod10v01 ~]#

dnutan · June 14, 2023, 4:17pm

If the firewall rule is still of use I believe that should have an IP address, and it is the cause of the problem with shorewall.

If no fixed IP available and you are using some script to get and fill the IP address from a Dynamic DNS service, check that both the script and dyndns are working.

Someone else here pointed to the risk of DNS poisoning

Fail2ban : white list a FQDN and/or a CDIR
Firewall PortForwarding Question

Additional note: the db hosts entry is a bit mangled with invalid syntax and extra properties that should not be there.

alpreseidente · June 14, 2023, 4:35pm

Hi dnutan
I have no current requirement for communications with this address and am not reliant on dynamic dns also so will look at removing references to this address etc

alpreseidente · June 14, 2023, 5:46pm

any idea how i get rid of refeences to cwoffsite.ddns.net. I cant find any obvious config from the gui

dnutan · June 14, 2023, 5:52pm

Maybe it was an item on old UI…
You can delete the host object and the firewall rule with:

db hosts delete cwoffiste.ddns.net
db fwrules delete 18
signal-event firewall-adjust

You can search for other leftovers with grep (but take care before deleting anything…, change the search term as you consider more appropriate):

grep -ri cwoffsite /etc/e-smith/db/

Also take a look at custom templates:

grep -ri cwoffsite /etc/e-smith/templates-custom/

…and cronjobs.

alpreseidente · June 14, 2023, 6:18pm

thank you dnutan - that last guidance did the trick - appreciated!