Context Navigation

← Previous Ticket
Next Ticket →

Modify ↓

Ticket #3180 (closed defect: worksforme)

Last modified 21 months ago

After the update to does not start firewall

Reported by:	lioncub@…	Owned by:	cperez@…
Milestone:	2.2	Component:	firewall
Severity:	normal	Keywords:
Cc:

Description

# /etc/init.d/zentyal firewall start
 * Restarting Zentyal module: firewall                                                                                                                [fail] 
root command set -e
modprobe ip_conntrack_ftp || true
modprobe ip_nat_ftp || true
modprobe ip_conntrack_tftp || true
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -N odrop
/sbin/iptables -A OUTPUT -m state --state INVALID -j odrop
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N idrop
/sbin/iptables -A INPUT -m state --state INVALID -j idrop
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N fdrop
/sbin/iptables -A FORWARD -m state --state INVALID -j fdrop
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -N premodules
/sbin/iptables -t nat -N postmodules
/sbin/iptables -N fnospoofmodules
/sbin/iptables -N fnospoof
/sbin/iptables -A fnospoof -j fnospoofmodules
/sbin/iptables -N fredirects
/sbin/iptables -N fmodules
/sbin/iptables -N ffwdrules
/sbin/iptables -N fnoexternal
/sbin/iptables -N fdns
/sbin/iptables -N fobjects
/sbin/iptables -N fglobal
/sbin/iptables -N ftoexternalonly
/sbin/iptables -N inospoofmodules
/sbin/iptables -N inospoof
/sbin/iptables -A inospoof -j inospoofmodules
/sbin/iptables -N inointernal
/sbin/iptables -N iexternalmodules
/sbin/iptables -N iexternal
/sbin/iptables -N inoexternal
/sbin/iptables -N imodules
/sbin/iptables -N iintservs
/sbin/iptables -N iglobal
/sbin/iptables -N drop
/sbin/iptables -N log
/sbin/iptables -N ointernal
/sbin/iptables -N omodules
/sbin/iptables -N oglobal
/sbin/iptables -t nat -A PREROUTING -j premodules
/sbin/iptables -t nat -A POSTROUTING -j postmodules
/sbin/iptables -A FORWARD -j fnospoof
/sbin/iptables -A FORWARD -j fredirects
/sbin/iptables -A FORWARD -j fmodules
/sbin/iptables -A FORWARD -j ffwdrules
/sbin/iptables -A FORWARD -j fnoexternal
/sbin/iptables -A FORWARD -j fdns
/sbin/iptables -A FORWARD -j fobjects
/sbin/iptables -A FORWARD -j fglobal
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-reply ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type destination-unreachable ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type source-quench ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type time-exceeded ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type parameter-problem ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A FORWARD -j fdrop
/sbin/iptables -A INPUT -j inospoof
/sbin/iptables -A INPUT -j iexternalmodules
/sbin/iptables -A INPUT -j iexternal
/sbin/iptables -A INPUT -j inoexternal
/sbin/iptables -A INPUT -j imodules
/sbin/iptables -A INPUT -j iintservs
/sbin/iptables -A INPUT -j iglobal
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type source-quench ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A INPUT -j idrop
/sbin/iptables -A OUTPUT -j ointernal
/sbin/iptables -A OUTPUT -j omodules
/sbin/iptables -A OUTPUT -j oglobal
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-reply ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type destination-unreachable ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type source-quench ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type time-exceeded ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type parameter-problem ! -f  -m state --state NEW  -j ACCEPT
/sbin/iptables -A OUTPUT -j odrop
/sbin/iptables -A idrop -j drop
/sbin/iptables -A odrop -j drop
/sbin/iptables -A fdrop -j drop
/sbin/iptables -A ointernal  -m state --state NEW  -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A ointernal  -m state --state NEW  -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A fdns  -m state --state NEW  -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A fdns  -m state --state NEW  -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A ointernal  -m state --state NEW  -p udp --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A ointernal  -m state --state NEW  -p tcp --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A fdns  -m state --state NEW  -p udp --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A fdns  -m state --state NEW  -p tcp --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A inospoof -m mac -s  ! --mac-source 00:19:db:c6:50:b7 -j idrop
/sbin/iptables -A fnospoof -m mac -s  ! --mac-source 00:19:db:c6:50:b7 -j fdrop
/sbin/iptables -A inospoof -m mac -s  ! --mac-source 00:50:8b:cd:f2:9e -j idrop
/sbin/iptables -A fnospoof -m mac -s  ! --mac-source 00:50:8b:cd:f2:9e -j fdrop
/sbin/iptables -A inospoof -m mac -s  ! --mac-source 20:cf:30:a0:79:0f -j idrop
/sbin/iptables -A fnospoof -m mac -s  ! --mac-source 20:cf:30:a0:79:0f -j fdrop
/sbin/iptables -A fnospoof -s 192.168.10.41/255.255.255.0 ! -i eth0 -j fdrop
/sbin/iptables -A inospoof -s 192.168.10.41/255.255.255.0 ! -i eth0 -j idrop
/sbin/iptables -A fredirects -m state --state NEW  -i eth1   -p tcp  --dport 80 -d 192.168.11.80 -j ACCEPT
/sbin/iptables -A fnoexternal  -m state --state NEW  -i eth1 -j fdrop
/sbin/iptables -A inoexternal  -m state --state NEW  -i eth1 -j idrop
/sbin/iptables -A ftoexternalonly -o eth1 -j ACCEPT
/sbin/iptables -I drop -j DROP
/sbin/iptables -I log -j RETURN
/sbin/iptables -A iexternalmodules -i eth0 -j RETURN
/sbin/iptables -A iexternal -i eth0 -j RETURN
/sbin/iptables  -t filter  -A iexternal     -p  udp  --destination-port  1194  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iexternal     -p  tcp  --destination-port  1194  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iexternal     -p  tcp  --destination-port  22  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal   --source   10.10.0.64/26   -m state --state NEW  -j drop
/sbin/iptables  -t filter  -A iglobal   --source   10.10.0.32/27   -m state --state NEW  -j drop
/sbin/iptables  -t filter  -A iglobal   --source   10.10.0.16/28   -m state --state NEW  -j drop
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  123  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  53  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  53  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal   --source   192.168.11.0/24   -m state --state NEW  -j drop
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  3142  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  3306  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  8888  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  1194  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  1194  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  1080  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  1080  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  80  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  9091  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  9091  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  7777  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  7777  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  5222  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  5222  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  6677  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  6677  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  139  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  139  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  445  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  445  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  137  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  137  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  138  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  138  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  389  -m state --state NEW  -j drop
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  67  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  udp  --destination-port  69  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  22  -m state --state NEW  -j ACCEPT
/sbin/iptables  -t filter  -A iglobal     -p  tcp  --destination-port  443  -m state --state NEW  -j ACCEPT
/sbin/iptables -A ftoexternalonly -j fdrop
/sbin/iptables -A ointernal  -m state --state NEW  -p udp --dport 123 -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.136/32  --destination   169.254.0.0/16  -p  !  icmp --icmp-type echo-request ! -f   -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.136/32  --destination   169.254.0.0/16  -p  !  icmp --icmp-type echo-reply ! -f   -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.136/32  --destination   169.254.0.0/16  -p  !  icmp --icmp-type destination-unreachable ! -f   -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.136/32  --destination   169.254.0.0/16  -p  !  icmp --icmp-type source-quench ! -f   -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.136/32  --destination   169.254.0.0/16  -p  !  icmp --icmp-type parameter-problem ! -f   -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.80/32  --destination   192.168.10.137/32  -p  tcp  --destination-port  80    -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.0/24  --destination   192.168.10.250/32    -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.0/24     -j drop
/sbin/iptables  -t filter  -A fglobal       -j ACCEPT
/sbin/iptables  -t filter  -A fglobal   --source   192.168.11.0/24  --destination   10.10.0.0/24    -j ACCEPT
/sbin/iptables -A ffwdrules -i eth0 -j RETURN
/sbin/iptables  -t filter  -A oglobal     -m state --state NEW  -j ACCEPT
/sbin/sysctl -q -w net.ipv4.ip_forward="1"
/sbin/sysctl -q -w net.ipv4.tcp_syncookies="1"
/sbin/sysctl -q -w net.ipv4.conf.all.log_martians="0"
/sbin/sysctl -q -w net.ipv4.conf.all.accept_redirects="0"
/sbin/sysctl -q -w net.ipv4.conf.all.send_redirects="0"
/sbin/sysctl -q -w net.ipv4.conf.all.accept_source_route="0"
/sbin/sysctl -q -w net.ipv4.icmp_ignore_bogus_error_responses="1"
/sbin/sysctl -q -w net.ipv4.icmp_echo_ignore_broadcasts="1" failed. 
Error output: Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).
 Bad argument `00:19:db:c6:50:b7'
 Try `iptables -h' or 'iptables --help' for more information.

Command output: . 
Exit value: 2

Attachments

Change History

comment:1 Changed 21 months ago by lioncub@…

In "Objects > Members" missing ip address!!! ???

When you add an ip:

2011/08/30 19:09:02 DEBUG> Base.pm:577 EBox::CGI::Base::setErrorFromException - Can't call method "overlaps" on an undefined value at /usr/share/perl5/EBox/Objects/Model/MemberTable.pm line 184. $VAR1 = bless( {

'-file' => '/usr/share/perl5/EBox/Objects/Model/MemberTable.pm', '-text' => 'Can\'t call method "overlaps" on an undefined value', '-line' => '184', '-package' => 'Error'

}, 'Error::Simple' );

comment:2 Changed 21 months ago by lioncub@…

After delete all Objects:

Error output: Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).
 iptables: Invalid argument. Run `dmesg' for more information.

Command output: . 
Exit value: 1

Next... Unchecked "Inverse match" in "Packet Filter > Internal networks":

# /etc/init.d/zentyal firewall start
 * Restarting Zentyal module: firewall                                                                                                                [ OK ]

What is?

comment:3 Changed 21 months ago by jacalvo@…

Owner changed from jsalamero to cperez@…

comment:4 Changed 21 months ago by cperez@…

Status changed from new to assigned

Probably this was caused by a corruption on your configuration backend, can you post the output of this command? It will show installed version of each zentyal package:

dpkg -l | grep zentyal

Thank you for your report

comment:5 Changed 21 months ago by lioncub@…

$ dpkg -l | grep zentyal
ii  libhtml-mason-perl                1:1.44-1+zentyal1                 HTML::Mason Perl module
ii  libjs-jquery                      1.5-2ubuntu1+zentyal1             JavaScript library for dynamic web applicati
ii  liblog-any-perl                   0.11-1+zentyal1                   Log anywhere
ii  php-net-smtp                      1.4.2-3+zentyal1                  PHP PEAR module implementing SMTP protocol
ii  zentyal-antivirus                 2.1.3                             Zentyal - Antivirus
ii  zentyal-common                    2.1.8                             Zentyal - Common Library
ii  zentyal-core                      2.1.27                            Zentyal - Core
ii  zentyal-dhcp                      2.1.6                             Zentyal - DHCP Service
ii  zentyal-firewall                  2.1.6                             Zentyal - Firewall
ii  zentyal-network                   2.1.11                            Zentyal - Network Configuration
ii  zentyal-ntp                       2.1.5                             Zentyal - NTP Service
ii  zentyal-objects                   2.1.3                             Zentyal - Network Objects
ii  zentyal-samba                     2.1.6                             Zentyal - File Sharing Service
ii  zentyal-services                  2.1.7                             Zentyal - Network Services
ii  zentyal-software                  2.1.11                            Zentyal - Software Management
ii  zentyal-squid                     2.1.8                             Zentyal - HTTP Proxy (Cache and Content Filt
ii  zentyal-usercorner                2.1.5                             Zentyal - User Corner
ii  zentyal-users                     2.1.10                            Zentyal - Users and Groups

comment:6 Changed 21 months ago by cperez@…

Versions are ok, can you try to remove and recreate the object? If it was caused by a database corruption that action should fix your problem.

comment:7 Changed 21 months ago by lioncub@…

Checked "Inverse match" in "Packet Filter > Internal networks" and save:

Some modules reported error when saving changes . More information on the logs in /var/log/zentyal/

The following modules failed while saving their changes, their state is unknown: firewall The following modules failed while saving their changes, their state is unknown: firewall at /usr/share/perl5/EBox/GlobalImpl.pm line 648 EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x32c9e88)', 'progress', 'EBox::ProgressIndicator=HASH(0x32f9f10)') called at /usr/share/perl5/EBox/Global.pm line 95 EBox::Global::AUTOLOAD('EBox::Global=HASH(0x32fa300)', 'progress', 'EBox::ProgressIndicator=HASH(0x32f9f10)') called at /usr/share/zentyal/global-action line 39

comment:8 Changed 21 months ago by cperez@…

Status changed from assigned to closed
Resolution set to worksforme

But did you removed the object before? I did a test again and it worked for me.

Please, reopen if you try to completely remove your objects, recreate them and still fails

comment:9 Changed 21 months ago by lioncub@…

Allow phonetic typing Thank you, kind of works ...

View ↑

Add a comment

You may use WikiFormatting here.

Modify Ticket

Change Properties

Summary:
Type:	Milestone:
Component:	Severity:
Keywords:	Add/Remove from Cc:	<Author field>

Action

leave as closed

reopen The resolution will be deleted. Next status will be 'reopened'

Author

Your email or username:

E-mail address and user name can be saved in the Preferences.

Attachments ↑

Note: See TracTickets for help on using tickets.

Download in other formats: