Mageia forum

[smedly]

uname -a
Linux localhost 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux

This is a clean install on a new hard drive, with all updates. I used the firewall program provided by magiea Control Center. The firewall fails to start. After looking into shorewall I get the following errors.
as root

Code: Select all

/sbin/shorewall start
Compiling using Shorewall 5.2.8...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system /usr/share/shorewall/helpers (EOF)

Setting up the firewall differently makes no change in shorewall. I have no idea where to start fixing this problem.
Smedly

[doktor5000]

Hi there, the firewall is enabled by default and also starts by default. What was the initial error message?
Also to start it please as root use

Code: Select all

systemctl start shorewall

as this also ensures that /etc/sysconfig/shorewall and also all respective options are passed properly.

Also some more information would be helpful. Do you use net_applet or networkmanager to manage your network interface ?
Also how are you connected, wired or wifi or ... ?

[doktor5000]

The following commands are done as root

systemctl start shorewall

Code: Select all

Job for shorewall.service failed because the control process exited with error code.
See "systemctl status shorewall.service" and "journalctl -xeu shorewall.service" for details.

systemctl status shorewall.service

Code: Select all

shorewall.service - Shorewall IPv4 firewall
     Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2023-11-23 12:57:35 CST; 1h 1min ago
    Process: 511874 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=255/EXCEPTION)
   Main PID: 511874 (code=exited, status=255/EXCEPTION)
        CPU: 456ms

Nov 23 12:57:35 localhost systemd[1]: Starting shorewall.service...
Nov 23 12:57:35 localhost shorewall[511874]: Compiling using Shorewall 5.2.8...
Nov 23 12:57:35 localhost shorewall[511908]: Processing /etc/shorewall/params ...
Nov 23 12:57:35 localhost shorewall[511908]: Processing /etc/shorewall/shorewall.conf...
Nov 23 12:57:35 localhost shorewall[511908]: Loading Modules...
Nov 23 12:57:35 localhost shorewall[511908]:    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system /usr/share/shorewall/h>
Nov 23 12:57:35 localhost root[511938]: ERROR:Shorewall start failed
Nov 23 12:57:35 localhost systemd[1]: shorewall.service: Main process exited, code=exited, status=255/EXCEPTION
Nov 23 12:57:35 localhost systemd[1]: shorewall.service: Failed with result 'exit-code'.
Nov 23 12:57:35 localhost systemd[1]: Failed to start shorewall.service.

I am using net_applet.

Code: Select all

root@localhost:etc$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 10:7b:44:4d:9d:48 brd ff:ff:ff:ff:ff:ff
7: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
8: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff

I am using a wired connection.

I also have tor and privoxy installed. Both are working,
I am also able to perform ssh and ssh tunnel.
Smedly

[doktor5000]

Is this on an installed system or during live mode ?
Could be a problem with your shorewall config or a timing issue during startup, have a look at e.g. https://bugs.mageia.org/show_bug.cgi?id=11127
Otherwise everybody would have this issue with shorewall.
Or maybe https://bugs.mageia.org/show_bug.cgi?id=8960 if your interfaces would have very long names (eg. with wifi networks or when using networkmanager) but the error message should be different then.

Best post your shorewall configs, at least /etc/shorewall/interfaces and /etc/shorewall/zones
Apart from that, what did you configure for your firewall using MCC ?

[isadora]

Code: Select all

root@localhost:sysconfig$ cat /etc/shorewall/interfaces
#
# Shorewall -- /etc/shorewall/interfaces
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE           INTERFACE               OPTIONS
net     enp3s0  detect


root@localhost:sysconfig$ cat /etc/shorewall/zones
#
# Shorewall -- /etc/shorewall/zones
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# https://shorewall.org/manpages/shorewall-zones.html
#
###############################################################################
#ZONE           TYPE            OPTIONS         IN_OPTIONS      OUT_OPTIONS
net     ipv4
fw      firewall

The install was done with a DVD version, so it doesn't fit a boot timings. I have had multiple reboots, and even tried to manually start shorewall.
I am on a wired connection, so there isn't a problem with long names on wifi
I set up the firewall during install (bittorrent). Also, I have tried different configs with MCC with the firewall (FTP server, SSH server). /etc/shorewall/rules.drakx does change each time, and /etc/shorewall/rules does include rules.drakx

I am thinking. What if it isn't shorewall, but iptables. Are there some tests I can run with iptables to see if it is installed correctly?
Smedly

[doktor5000]

I set up the firewall during install (bittorrent).

During installation of Mageia or after the installation of Mageia? The former could be a problem ...

In any case, I can't reproduce your issue, so there must be something else to your setup. I've did the same thing, amend the firewall with the ports I need for bittorrent. And that worked just fine.

Also, you don't need to use shorewall, it's basically only a frontend to iptables. You can also use iptables directly, if you want.

[smedly]

The reason I have used shorewall, because it has been easy edit rules.drax. One of things I do is prevent my computer from accesses websites. Let's say website.com. Shorewall is not working for me. Shorewall uses iptables, so iptables doesn't work on my system. I have tried examples of iptables and nothing works. The next thing to check nft (nftables) . I am having trouble learning the syntax of nftables..
I am asking please if someone would give me a line of code for nftables that would drop packets from reaching website.com. Well, even iptables to see if it works on my computer.
Smedly

[doktor5000]

One of things I do is prevent my computer from accesses websites. Let's say website.com. Shorewall is not working for me. Shorewall uses iptables, so iptables doesn't work on my system.

That's because a firewall is the wrong tool for that use case. This will only work for regular, unencrypted traffic like HTTP. For HTTPS this won't work because the domain which you want to block is part of the encrypted HTTPS headers so you cannot filter for that with your firewall.
See e.g. the first answer for https://superuser.com/questions/1290066 ... h-iptables

If you want to understand the general idea how to block a domain for unencrypted traffic see e.g. https://noc.org/help/blocking-http-requ ... fic-domain for some explanation.
And if you want to block a given domain or website you also need a decent understanding of DNS and the actual protocols you're trying to block.

Something like a pihole or any other DNS server that you can easily run yourself to block those domains is probably a better idea and also mostly protocol-agnostic.

Some more hints:
https://blog.craftyguy.net/nft-asn-block/
https://forum.openwrt.org/t/nftables-fi ... /126182/20
https://openwrt.org/docs/guide-user/fir ... ses_by_dns
https://wiki.nftables.org/wiki-nftables/index.php/Ipset and https://wiki.nftables.org/wiki-nftables/index.php/Sets

[morgano]

What about the "parental control" built into MCC?

[doktor5000]

Could be worth a try. It uses dansguardian as a proxy for the blacklisting.

Link to drakguard documentation:
https://doc.mageia.org/mcc/9/en/content ... #drakguard

[smedly]

Good news. With the release of
iptables-1.8.9-2.3.mga9.x86_64.rpm,
shorewall works again. Thanks for everyone's help and advice.
Smedly

[doktor5000]

Please don't forget to mark the thread as solved, by editing the subject of the first post and prefix it with [SOLVED], thanks in advance.