Package: firewalld
Version: 0.9.3-2
Severity: important
I'm experiencing problems on a Sid system with firewalld and sshguard -
firewalld does
not seem happy with the sshguard config for some reason.
I set things up for sshguard a while ago and today happened to notice a problem
when trying to
add a temporary firewall rule while playing around with DLNA which resulted in
an error...
`firewall-cmd --add-port=1900/udp` gave:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule":
{"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow",
"expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}},
"op": "==", "right": 1900}}, {"match": {"left": {"ct": {"key": "state"}}, "op":
"in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
Checking `systemctl status firewalld` led to the discovery that firewalld did
not seem
happy with the existing permanent sshguard config, which had been added with
the following
commands (per sshguard setup instructions):
1. firewall-cmd --permanent --zone=public --add-rich-rule="rule source
ipset=sshguard4 drop"
2. firewall-cmd --permanent --zone=public --add-rich-rule="rule source
ipset=sshguard6 drop"
`firewall-cmd --info-ipset=sshguard4` gives:
Error: INVALID_IPSET: sshguard4
`firewall-cmd --state` gives:
failed
`systemctl status firewalld` gives:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor
preset: enabled)
Active: active (running) since Sun 2021-02-21 00:44:38 GMT; 34min ago
Docs: man:firewalld(1)
Main PID: 1973 (firewalld)
Tasks: 2 (limit: 4636)
Memory: 25.1M
CPU: 1.328s
CGroup: /system.slice/firewalld.service
└─1973 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Feb 21 00:44:37 debian systemd[1]: Starting firewalld - dynamic firewall
daemon...
Feb 21 00:44:38 debian systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 21 00:44:38 debian firewalld[1973]: ERROR: INVALID_IPSET: sshguard4
Feb 21 00:44:38 debian firewalld[1973]: ERROR: 'python-nftables' failed:
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo":
{"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
Feb 21 00:44:38 debian firewalld[1973]: ERROR: COMMAND_FAILED:
'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No
such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
internal:0:0-0: Error: Could not
process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo":
{"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
If I remove the sshguard4 & sshguard6 rich rules and reload firewalld, then
it's happy. The
errors just reported in the status output all disappear; the state switches to
running; the
temporary DLNA rule gets successfully added. Re-adding the sshguard rules
causes the problems
to reappear.
_______________________________________________
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
