Bug 1024 - MCC: Firewall utility doesn't work
: MCC: Firewall utility doesn't work
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: High major
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-28 17:59 MSK by Dmitry
Modified: 2012-12-21 18:40 MSK (History)
8 users (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:
alexander.petryakov: qa_verified+
dmitry.romashkin: secteam_verified+
alex.burmashev: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry 2012-10-28 17:59:12 MSK
Description of problem:
Every time I open firewall utility from MCC it's always showing that firewall is disabled. So, I can't enable firewall at all.
Comment 1 Dmitry Mikhirev 2012-10-29 15:18:18 MSK
Looks like shorewall service is not being set enabled. It can be caused by migration to systemd.
Comment 2 Martin Sjöstrand 2012-12-07 00:56:46 MSK
I have this problem to. I set some ports to be open, quit the MCC, and when I start the MCC again the firewall is disabled.
Comment 3 Sylvainsjc 2012-12-19 17:32:35 MSK
Confirmed in the final release today

Please, having the firewall opened by default and not configurable is really an annoying problem for many users.
Comment 4 Aleksandr Kazantcev 2012-12-19 18:16:23 MSK
Setup firewall via drakfirewall 

You see like this

ln -s '/lib/systemd/system/shorewall.service' '/etc/systemd/system/multi-user.target.wants/shorewall.service'

?

Then try (via su)

systemctl enable shorewall

and see output

systemctl status shorewall

If it has error?
Comment 5 Sylvainsjc 2012-12-19 18:31:54 MSK
root@Rosa2012Fresh ~]# ln -s '/lib/systemd/system/shorewall.service' '/etc/systemd/system/multi-user.target.wants/shorewall.service'
ln: impossible de créer le lien symbolique « /etc/systemd/system/multi-user.target.wants/shorewall.service »: Le fichier existe
[root@Rosa2012Fresh ~]#
[root@Rosa2012Fresh ~]# 
[root@Rosa2012Fresh ~]# drakfirewall 

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overriden by native
      systemd configuration.

Job for shorewall.service failed. See 'systemctl status shorewall.service' and 'journalctl' for details.

[root@Rosa2012Fresh ~]# systemctl enable shorewall
[root@Rosa2012Fresh ~]# 
[root@Rosa2012Fresh ~]# drakfirewall 

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overriden by native
      systemd configuration.

Job for shorewall.service failed. See 'systemctl status shorewall.service' and 'journalctl' for details.
[root@Rosa2012Fresh ~]# 
[root@Rosa2012Fresh ~]# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/lib/systemd/system/shorewall.service; enabled)
          Active: failed (Result: exit-code) since Wed, 19 Dec 2012 14:38:14 +0100; 34s ago
        Main PID: 3880 (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/shorewall.service

Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: Compiling...
Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: Processing /etc/shorewall/params ...
Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: Processing /etc/shorewall/shorewall.conf...
Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: Loading Modules...
Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Dec 19 14:38:14 Rosa2012Fresh systemd[1]: Failed to start Shorewall IPv4 firewall.
[root@Rosa2012Fresh ~]#
Comment 6 altadeos 2012-12-19 21:43:08 MSK
Hello,

I can confirm that the bug is still present in final release.
Comment 7 Aleksandr Kazantcev 2012-12-19 21:48:32 MSK
We working for resolve this bug - stay tuned...

But this line is very strange:

Dec 19 14:38:14 Rosa2012Fresh shorewall[3880]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

What kernel you use?

I'm not reproduce this message in my system.
Comment 8 Sylvainsjc 2012-12-19 22:25:03 MSK
It's a Fresh standard installation of ROSA 2012 Fresh under VirtualBox

ISO x86_64 from here : http://mirror.yandex.ru/rosa/rosa2012.1/iso/ROSA.Desktop.Fresh/
Comment 9 Sylvainsjc 2012-12-19 22:27:03 MSK
Kernel 3.6.10-nrj-desktop-1rosa
Comment 10 Aleksandr Kazantcev 2012-12-19 22:31:07 MSK
Please try run (from root)

/usr/lib/iptables.init save

and then try run drakxfirewall and get output 

systemctl status shorewall
Comment 11 Sylvainsjc 2012-12-19 22:54:25 MSK
here the result of the commands (as I use x86_64, there isn't /usr/lib/iptables.init file but /usr/lib64/iptables.init 


[root@Rosa2012Fresh ~]# /usr/lib64/iptables.init save
Saving current rules to /etc/sysconfig/iptables:                                                                           [  OK  ]

[root@Rosa2012Fresh ~]# drakfirewall 

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overriden by native
      systemd configuration.

Job for shorewall.service failed. See 'systemctl status shorewall.service' and 'journalctl' for details.

[root@Rosa2012Fresh ~]# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/lib/systemd/system/shorewall.service; enabled)
          Active: failed (Result: exit-code) since Wed, 19 Dec 2012 15:00:03 +0100; 5s ago
        Main PID: 2939 (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/shorewall.service

Dec 19 15:00:03 Rosa2012Fresh shorewall[2939]: Compiling...
Dec 19 15:00:03 Rosa2012Fresh shorewall[2939]: Processing /etc/shorewall/params ...
Dec 19 15:00:03 Rosa2012Fresh shorewall[2939]: Processing /etc/shorewall/shorewall.conf...
Dec 19 15:00:03 Rosa2012Fresh shorewall[2939]: Loading Modules...
Dec 19 15:00:03 Rosa2012Fresh shorewall[2939]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Dec 19 15:00:03 Rosa2012Fresh systemd[1]: Failed to start Shorewall IPv4 firewall.
[root@Rosa2012Fresh ~]# uname -a
Linux Rosa2012Fresh 3.6.10-nrj-desktop-1rosa #1 SMP PREEMPT Wed Dec 12 13:59:22 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@Rosa2012Fresh ~]#
Comment 12 Aleksandr Kazantcev 2012-12-19 23:24:31 MSK
Please run

  shorewall check

and give me output of it

Change in /lib/systemd/system/shorewall.service EnvironmentFile to

EnvironmentFile=-/etc/shorewall/shorewall.conf

Then try change in /etc/shorewall.conf adding to it

PKTTYPE = NO

then run 

  systemctl start shorewall

and give me output 

  systemctl status shorewall
Comment 13 Aleksandr Kazantcev 2012-12-19 23:39:17 MSK
OOPS.

"Then try change in /etc/shorewall.conf adding to it PKTTYPE = NO"

NOT NEED!
Comment 14 Sylvainsjc 2012-12-20 00:48:31 MSK
These command give the same answer before and after changing EnvironmentFile

[root@Rosa2012Fresh ~]# shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
[root@Rosa2012Fresh ~]# 


Here the changed shorewall.service file

[root@Rosa2012Fresh ~]# cat /lib/systemd/system/shorewall.service 
#
#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
#
#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
#
[Unit]
Description=Shorewall IPv4 firewall
After=syslog.target
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/shorewall/shorewall.conf
StandardOutput=syslog
ExecStart=/sbin/shorewall $OPTIONS start
ExecStop=/sbin/shorewall $OPTIONS stop

[Install]
WantedBy=multi-user.target
[root@Rosa2012Fresh ~]# 


[root@Rosa2012Fresh ~]# systemctl start shorewall
Warning: Unit file of shorewall.service changed on disk, 'systemctl --system daemon-reload' recommended.
Job for shorewall.service failed. See 'systemctl status shorewall.service' and 'journalctl' for details.
[root@Rosa2012Fresh ~]# 

[root@Rosa2012Fresh ~]# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/lib/systemd/system/shorewall.service; enabled)
          Active: failed (Result: exit-code) since Wed, 19 Dec 2012 21:46:49 +0100; 24s ago
         Process: 3418 ExecStart=/sbin/shorewall $OPTIONS start (code=exited, status=1/FAILURE)
          CGroup: name=systemd:/system/shorewall.service

Dec 19 21:46:48 Rosa2012Fresh shorewall[3418]: Compiling...
Dec 19 21:46:48 Rosa2012Fresh shorewall[3418]: Processing /etc/shorewall/params ...
Dec 19 21:46:48 Rosa2012Fresh shorewall[3418]: Processing /etc/shorewall/shorewall.conf...
Dec 19 21:46:48 Rosa2012Fresh shorewall[3418]: Loading Modules...
Dec 19 21:46:49 Rosa2012Fresh shorewall[3418]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Dec 19 21:46:49 Rosa2012Fresh systemd[1]: Failed to start Shorewall IPv4 firewall.

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
[root@Rosa2012Fresh ~]#
Comment 15 Aleksandr Kazantcev 2012-12-20 01:25:38 MSK
First step - try fix iptables...

Please add this repo (x86_64)

urpmi.addmedia test http://abf.rosalinux.ru/downloads/rosa2012.1/container/iptables-857596/RPMS/

then

urpmi --auto-update


Then restart system and try see

systemctl status iptables


For i586

urpmi.addmedia test http://abf.rosalinux.ru/downloads/rosa2012.1/container/iptables-857595/RPMS/
Comment 16 Aleksandr Kazantcev 2012-12-20 09:41:38 MSK
Updated package:

i586

http://abf.rosalinux.ru/downloads/rosa2 ... 7601/RPMS/

x86_64

http://abf.rosalinux.ru/downloads/rosa2 ... 7602/RPMS/


If setup previous package you may (from root):

rm -rf /etc/sysconfig/iptables
touch /etc/sysconfig/iptables

and for x86_64 need (from root too)

sed -e 's/lib/lib64/p' -i /lib/systemd/system/iptables.service
Comment 17 Aleksandr Kazantcev 2012-12-20 10:05:00 MSK
https://abf.rosalinux.ru/build_lists/857602
https://abf.rosalinux.ru/build_lists/857601

advisory: Iptables is Firewall systems using kernel modules. This update fix run iptables in ROSA Desktop.Fresh 2012 (all arch) and systemd service for x86_64 arch. You may test fix, running systemctl status iptables and see, Active it or not.
Comment 18 Sylvainsjc 2012-12-20 10:45:45 MSK
Ok after adding media repo test and make update and restart, it is better now. Thanks for your job.

But it needs to activate shorewall and iptables services by running 
systemctl enable shorewall;systemctl start shorewall
systemctl enable iptables;systemctl start iptables

It is now possible to manage firewall with drakfirewall and it works but it remains a problem with this tool : Every time I open drakfirewall it's always showing that "all - no firewall" is checked

Should I open a new bug for this?
Comment 19 Aleksandr Kazantcev 2012-12-20 10:48:49 MSK
No - we work for properly dislpay - this is problem related to read current shorewall state... Bug may be current.

More common that iptables/shorewall works and system is protected...

Drakfirewall will be fix for 2-3 days - need some investigates in Perl code :)
Comment 20 Sylvainsjc 2012-12-20 10:54:40 MSK
Ok thanks ;-)
Comment 21 altadeos 2012-12-20 11:59:51 MSK
Good job and thank you for your reactivity!!
Comment 22 Alexander Petryakov 2012-12-20 23:44:19 MSK
iptables-1.4.15-4
************** Advisory **************
advisory: Iptables is Firewall systems using kernel modules. This update fix run iptables in ROSA Desktop.Fresh 2012 (all arch) and systemd service for x86_64 arch. 
p.s. after reboot
# systemctl status iptables
Active: active (exited) ...

**************************************
QA Verified
Comment 23 Aleksandr Kazantcev 2012-12-21 18:40:06 MSK
For future work please using this bug: http://bugs.rosalinux.ru/show_bug.cgi?id=1290