View previous topic :: View next topic |
Author |
Message |
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 7:13 pm Post subject: firewalld fails to add new rules |
|
|
Hi Im trying to set correctly firewalld now wen I try to set a interface to a zones I get
Code: |
firewall-cmd --zone=public --add-interface=wlp1s0
Error: COMMAND_FAILED: 'python-nftables' failed:
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 6, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "filter_FWD_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}]}
|
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 30, 2021 7:31 pm Post subject: |
|
|
Is firewalld buitl with USE="nftables iptables"
?
If yes then switch backend like this:
In /etc/firewalld/firewalld.conf set FirewallBackend to iptables.
And check if it works.
Then preferably rebuild it with only USE="iptables",although it is considered obsolete. _________________
Last edited by alamahant on Tue Nov 30, 2021 7:54 pm; edited 1 time in total |
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 7:51 pm Post subject: Thank you, Yes you were right alamahant |
|
|
alamahant wrote: | Is firewalld buitl with USE="nftables iptables"
?
If yes then switch backend like this:
In /etc/firewalld/firewalld.conf set FirewallBackend to iptables.
And check if it works.
Then preferably rebuild it with only USE="iptables" |
I did rebuild whit USE="iptables" and i think that's fixed but now show this
Code: |
firewall-cmd --zone=public --add-interface=wlp1s0
Error: COMMAND_FAILED: '/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.7 (legacy): ip6tables-restore: unable to initialize table 'raw'
Error occurred at line: 5
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. |
I'm reading about |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 30, 2021 7:56 pm Post subject: |
|
|
What is the output of
_________________
|
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 8:02 pm Post subject: |
|
|
alamahant wrote: | What is the output of
|
Code: | iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
OUTPUT_POLICIES_pre all -- anywhere anywhere
OUTPUT_POLICIES_post all -- anywhere anywhere
Chain FORWARD_POLICIES_post (2 references)
target prot opt source destination
Chain FORWARD_POLICIES_pre (2 references)
target prot opt source destination
Chain FORWARD_ZONES (1 references)
target prot opt source destination
FWD_public all -- anywhere anywhere [goto]
FWD_public all -- anywhere anywhere [goto]
FWD_public all -- anywhere anywhere [goto]
FWD_public all -- anywhere anywhere [goto]
FWD_trusted all -- anywhere anywhere [goto]
FWD_public all -- anywhere anywhere [goto]
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWD_public (5 references)
target prot opt source destination
FORWARD_POLICIES_pre all -- anywhere anywhere
FWD_public_pre all -- anywhere anywhere
FWD_public_log all -- anywhere anywhere
FWD_public_deny all -- anywhere anywhere
FWD_public_allow all -- anywhere anywhere
FWD_public_post all -- anywhere anywhere
FORWARD_POLICIES_post all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FWD_public_allow (1 references)
target prot opt source destination
Chain FWD_public_deny (1 references)
target prot opt source destination
Chain FWD_public_log (1 references)
target prot opt source destination
Chain FWD_public_post (1 references)
target prot opt source destination
Chain FWD_public_pre (1 references)
target prot opt source destination
Chain FWD_trusted (1 references)
target prot opt source destination
FORWARD_POLICIES_pre all -- anywhere anywhere
FWD_trusted_pre all -- anywhere anywhere
FWD_trusted_log all -- anywhere anywhere
FWD_trusted_deny all -- anywhere anywhere
FWD_trusted_allow all -- anywhere anywhere
FWD_trusted_post all -- anywhere anywhere
FORWARD_POLICIES_post all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWD_trusted_allow (1 references)
target prot opt source destination
Chain FWD_trusted_deny (1 references)
target prot opt source destination
Chain FWD_trusted_log (1 references)
target prot opt source destination
Chain FWD_trusted_post (1 references)
target prot opt source destination
Chain FWD_trusted_pre (1 references)
target prot opt source destination
Chain INPUT_POLICIES_post (2 references)
target prot opt source destination
Chain INPUT_POLICIES_pre (2 references)
target prot opt source destination
IN_allow-host-ipv6 all -- anywhere anywhere
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_trusted all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_allow-host-ipv6 (1 references)
target prot opt source destination
IN_allow-host-ipv6_pre all -- anywhere anywhere
IN_allow-host-ipv6_log all -- anywhere anywhere
IN_allow-host-ipv6_deny all -- anywhere anywhere
IN_allow-host-ipv6_allow all -- anywhere anywhere
IN_allow-host-ipv6_post all -- anywhere anywhere
Chain IN_allow-host-ipv6_allow (1 references)
target prot opt source destination
Chain IN_allow-host-ipv6_deny (1 references)
target prot opt source destination
Chain IN_allow-host-ipv6_log (1 references)
target prot opt source destination
Chain IN_allow-host-ipv6_post (1 references)
target prot opt source destination
Chain IN_allow-host-ipv6_pre (1 references)
target prot opt source destination
Chain IN_public (5 references)
target prot opt source destination
INPUT_POLICIES_pre all -- anywhere anywhere
IN_public_pre all -- anywhere anywhere
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
IN_public_post all -- anywhere anywhere
INPUT_POLICIES_post all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:distcc ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_public_post (1 references)
target prot opt source destination
Chain IN_public_pre (1 references)
target prot opt source destination
Chain IN_trusted (1 references)
target prot opt source destination
INPUT_POLICIES_pre all -- anywhere anywhere
IN_trusted_pre all -- anywhere anywhere
IN_trusted_log all -- anywhere anywhere
IN_trusted_deny all -- anywhere anywhere
IN_trusted_allow all -- anywhere anywhere
IN_trusted_post all -- anywhere anywhere
INPUT_POLICIES_post all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain IN_trusted_allow (1 references)
target prot opt source destination
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain IN_trusted_post (1 references)
target prot opt source destination
Chain IN_trusted_pre (1 references)
target prot opt source destination
Chain OUTPUT_POLICIES_post (1 references)
target prot opt source destination
Chain OUTPUT_POLICIES_pre (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination |
|
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 8:04 pm Post subject: |
|
|
alamahant wrote: | What is the output of
|
I remember disable ipv6 in some point installing iptables |
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 8:08 pm Post subject: |
|
|
denn0n wrote: | alamahant wrote: | What is the output of
|
I remember disable ipv6 in some point installing iptables |
Oh no I did remember now i did block in iptables the chain INPUT and FORWARD from ipv6 to drop i did not mess whit any configuration |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 30, 2021 8:24 pm Post subject: |
|
|
Yes I also installed right now firewalld in my openrc.
Although I have a full iptables kernel .config the damned thing would not start.
I think it is very temperamental.
Anyway i found this kernel config
https://zigford.org/firewalld-kernel-requirements.html
to use with nftables backend.
But maybe its not a kernel thing at all. _________________
|
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 8:41 pm Post subject: |
|
|
alamahant wrote: | Yes I also installed right now firewalld in my openrc.
Although I have a full iptables kernel .config the damned thing would not start.
I think it is very temperamental.
Anyway i found this kernel config
https://zigford.org/firewalld-kernel-requirements.html
to use with nftables backend.
But maybe its not a kernel thing at all. |
Yes I also think it's very temperamental i have some weeks trying to do this because i need share the internet from my laptop, I will try something more before change to nftables I never have use it |
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Tue Nov 30, 2021 11:05 pm Post subject: |
|
|
alamahant wrote: | Yes I also installed right now firewalld in my openrc.
Although I have a full iptables kernel .config the damned thing would not start.
I think it is very temperamental.
Anyway i found this kernel config
https://zigford.org/firewalld-kernel-requirements.html
to use with nftables backend.
But maybe its not a kernel thing at all. |
Thank You! I couldn't I will read nftables |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4133 Location: Bavaria
|
Posted: Wed Dec 01, 2021 12:22 am Post subject: |
|
|
The only correct installation of a firewall is:
1. You put in ALL modules belonging to netfilter as <M> in your kernel (+compile and install your kernel as always). Forget all informations about needed kernel modules, because the needed modules depends on your FW-configuration !
2. If you want to set up a firewall for a network (more than one ethernet port) dont forget to enable all needed ROUTING modules (e.g. "advanced router); this is not needed for a personal FW.
3. You configure your firewall BEST with native "ipatbles" or "nftables" - dont use any "simple" solution from ufw or others. If you dont understand what you are doing then learn: networking (tcp, udp, icmp, ports, layers, IPv4, IPv6, DNAT, SNAT, ...) and at least do a "man iptables" or "man nftables".
4. If your FW is running you can do a "lsmod" and find out which kernel modules are really needed (the next time you configure your kernel you can unset all not needed modules).
As far as I can see your configuration is a mess ... dont use it until you understand for what a firewall is able to do and NOT to do
(there is a german guide from me with iptables; and a translated english version in this forum). |
|
Back to top |
|
|
denn0n Tux's lil' helper
Joined: 24 May 2020 Posts: 87
|
Posted: Fri Dec 03, 2021 6:33 pm Post subject: |
|
|
pietinger wrote: | The only correct installation of a firewall is:
1. You put in ALL modules belonging to netfilter as <M> in your kernel (+compile and install your kernel as always). Forget all informations about needed kernel modules, because the needed modules depends on your FW-configuration !
2. If you want to set up a firewall for a network (more than one ethernet port) dont forget to enable all needed ROUTING modules (e.g. "advanced router); this is not needed for a personal FW.
3. You configure your firewall BEST with native "ipatbles" or "nftables" - dont use any "simple" solution from ufw or others. If you dont understand what you are doing then learn: networking (tcp, udp, icmp, ports, layers, IPv4, IPv6, DNAT, SNAT, ...) and at least do a "man iptables" or "man nftables".
4. If your FW is running you can do a "lsmod" and find out which kernel modules are really needed (the next time you configure your kernel you can unset all not needed modules).
As far as I can see your configuration is a mess ... dont use it until you understand for what a firewall is able to do and NOT to do
(there is a german guide from me with iptables; and a translated english version in this forum). |
Thank You ! for the reference.
I do iptables since some time but always it's something more to learn, I was thinking in install firewalld since it's very useful just make masquerade in a zone to share internet, at the moment it's working whit iptables but it wasn't and i had to review and install some things li ispec, and set the network it's one of the most intricate things to do as I see, if you could share the link to the guide it will very appreciate |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Dec 03, 2021 6:59 pm Post subject: |
|
|
Ok I made some progress.
It doesnt matter if you build firewalld with USE="-nftables" you need both ie "nftables iptables" USE flags for it to start.
I did that and after setting backend to iptables in firewalld.conf It Starts!
Same when I set it to nftables.
Running firewall commands no problem.
If you need to debug it use something
Code: |
firewalld --nofork --debug=4 #### or 10
|
in one terminal, after having first stopped it and then open another terminal and run your firewall-cmd commands.
plz see
https://firewalld.org/documentation/howto/debug-firewalld.html _________________
|
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1678
|
Posted: Fri Dec 03, 2021 7:04 pm Post subject: |
|
|
alamahant wrote: | Ok I made some progress.
It doesnt matter if you build firewalld with USE="-nftables" you need both ie "nftables iptables" USE flags for it to start.
I did that and after setting backend to iptables in firewalld.conf It Starts!
Same when I set it to nftables.
Running firewall commands no problem.
If you need to debug it use something
Code: |
firewalld --nofork --debug=4 #### or 10
|
in one terminal, after having first stopped it and then open another terminal and run your firewall-cmd commands.
plz see
https://firewalld.org/documentation/howto/debug-firewalld.html |
Sorry, I haven't been following this whole thing, but is there a change I need to make to the ebuild? If so, could you file a bug? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Dec 03, 2021 7:10 pm Post subject: |
|
|
sam_
Do you think its a bug?
I dont have the output because i closed that terminal but it complained thet it was trying to load an nftables python module which could not be found despite having set backend to "iptables" in firewalld.conf.
So it seems irrespective of using nftables or iptables backend you DO need firewalld built with both.
Otherwise it will not start.
Should i rebuild it with only one get the output and open a bug report?
Code: |
Traceback (most recent call last):
File "/usr/sbin/firewalld", line 215, in <module>
main()
File "/usr/sbin/firewalld", line 210, in main
startup(args)
File "/usr/sbin/firewalld", line 163, in startup
from firewall.server import server
File "/usr/lib/python3.9/site-packages/firewall/server/server.py", line 40, in <module>
from firewall.server.firewalld import FirewallD
File "/usr/lib/python3.9/site-packages/firewall/server/firewalld.py", line 30, in <module>
from firewall.core.fw import Firewall
File "/usr/lib/python3.9/site-packages/firewall/core/fw.py", line 33, in <module>
from firewall.core import nftables
File "/usr/lib/python3.9/site-packages/firewall/core/nftables.py", line 35, in <module>
from nftables.nftables import Nftables
ModuleNotFoundError: No module named 'nftables'
|
But if nftables is present irrespective of the presence or not of USE="nftables" it WILL start.
Ok this is the culprit
Code: |
/usr/lib/python3.9/site-packages/firewall/core/fw.py
|
that mandates nftables irrespective of chosen backend,thereby making redundant the functionality of portage USE flags.
RESUME:firewalld needs nftables installed irrespective of backend chosen or portage USE. _________________
|
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4133 Location: Bavaria
|
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1678
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|