Linux Firewall page does not refresh after reboot! [#66348]

Submitted by Rory Bremner on Thu, 06/20/2019 - 01:14

I feel I must say something about this issue I am facing. Not sure if it is a bug or not, but it is an issue that i thought you should know about.

On a fresh installation, all seems fine until I start getting hits on my fail2ban jails. These filtering rules issued by the f2b jails are properly shown in sudo iptables -v -L -n -x (see iptables output attached).

[1] see attached photos

'f2b-recidive in Chain INPUT' rarely shows in Linux Firewall even though it appears in (iptables -v -L -n -x).

[2] see attached photos

'Chain f2b-recidive' rarely shows in Linux Firewall is even though it appears in (iptables -v -L -n -x).

[3]

WARNING! Your current IPtables configuration is invalid : iptables-restore v1.6.1: Set f2b-sshd doesn't exist. Error occurred at line: 55

This message may pop up at some point (after some reboots), at the very top in Webmin>Networking>Linux Firewall (IPv4). Sometimes it is fixed by a reboot but not always. This may however be related to the D-Bus failing at reboot as mentioned in this report: https://www.virtualmin.com/node/66358

Being a 'WARNING' can you verify that this can be safely ignored?

Status:

Closed (fixed)

Files:

iptables.txt

jail.local_.txt

2019-06-19_11-41-21.png

2019-06-19_11-42-06.png

Comments

Submitted by Rory Bremner on Thu, 06/20/2019 - 15:37 Comment #1

Body:

View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:38 Comment #2

Body:

View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:46 Comment #3

Title:	fail2ban/firewalld cooperation issues	» fail2ban - Linux Firewall page does not match iptables (most times)
Body:	View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:47 Comment #4

Body:

View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:48 Comment #5

Body:

View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:48 Comment #6

Body:

View changes

Submitted by Rory Bremner on Thu, 06/20/2019 - 19:49 Comment #7

Body:

View changes

Submitted by andreychek on Thu, 06/20/2019 - 20:25 Comment #8

Howdy -- hmm, that may indeed be related to the other issue you posted.

This may not be related to Virtualmin, and isn't something we're seeing with other installs -- my suggestion would be to follow up on the Dbus issue, and then once that's working, see if that resolves this issue you're seeing.

Submitted by Rory Bremner on Thu, 06/20/2019 - 21:02 Comment #9

Hi andreychek, you are talking about issue#3 and I aggree with you. How about issues#1&#2? Shouldn't the Linux Firewall page reflect what is in my iptables ?

Submitted by Rory Bremner on Fri, 06/21/2019 - 18:27 Comment #10

Steps to reproduce problem:

On the Linux firewall page, delete port 10000 from list of allowed ports
Click 'Apply Configuration' button
Verify that you cannot access webmin in the browser
Go to a console and allow port 10000 to list of allowed ports in your firewall
Verify that you now can access webmin in the browser
The Linux firewall page does NOT show that 10000 is allowed now
Do not press 'Revert Configuration' - just reboot
After reboot, check the Linux firewall page - port 10000 is still missing.

Why do you not refresh configuration after reboot? What is the purpose of this page after reboot? To show you an invalid configuration? A lot of things may have changed during a reboot!!! To endanger you by accidentally applying long lost settings into your firewall? This is dangerous and illogical guys.

Submitted by Rory Bremner on Fri, 06/21/2019 - 18:28 Comment #11

Title:

fail2ban - Linux Firewall page does not match iptables (most times)

» Linux Firewall page does not refresh after reboot!

Submitted by JamieCameron on Sun, 06/23/2019 - 01:01 Comment #12

Note that the Linux Firewall module by default shows rules from your config file, not necessarily the active rules - they are only made active when you click the Apply button.

Submitted by Rory Bremner on Sun, 06/23/2019 - 01:06 Comment #13

Yes I am well aware of that. My point is why not refresh that page when you access it? If you do not want to do that, then you should at least make the user confirm before applying the rules displayed... otherwise, it is a disaster waiting to happen. Just my 5 cents.

Submitted by Rory Bremner on Sun, 06/23/2019 - 01:25 Comment #14

Furthermore, the fact that sometimes the recidive chain appears here and sometimes not, tells me that there is some partial refresh during reboot. This is why other chains appear while recidive which is the last chain does not.

Submitted by JamieCameron on Sun, 06/23/2019 - 15:20 Comment #15

It comment #10, what did you do for step 4 to add port 10000 ?

Submitted by Rory Bremner on Thu, 07/04/2019 - 11:27 Comment #16

I have since noticed that you are using Linux Firewall page as a buffer and not as a reflection of IPtables current configuration. I have also noticed that if you enable activate at boot, Linux Firewall page will load what configuration was there before reboot. I have also noticed that you have a feature called Directly edit firewall IPv4 rules instead of save file? Although I have not tried this I guess it does what it says.

So loads of functionality but I had to discover all this by trial and error. Would be nice if there was some place one could read up on these features, because I have removed firewalld due to the problems I stated in another issue.

So please close this thread and thanks for your time.

Submitted by andreychek on Thu, 07/04/2019 - 12:16 Comment #17

Status:

Active

» Closed (fixed)