Hi, I just tried to open a port on FirewallD in the Virtualmin webinterface. When I clicked apply, nothing happened. Then I restarted my Server and all my firewall rules are gone. I managed to enter some rules manually, but when I click on FirewallD in the webinterface, I get the following message: " Failed to list zones : Error: INVALID_ZONE"
How can I fix this error? I could not find anything about wich rule is invalid.
Is there a way to get the basic configuration with all the standard rules for Virtualmin back?
Thanks in advance for your help!
Thank you this helps!
But I can not apply these rules, because I get the âInvalid Zonesâ error when I want to use FirewallD. Is there a way to detect wich zone is invalid?
Or is it possible to uninstall FirewallD completely and use normal Linux Firewall instead?
There may (or may not) be something useful in there.
Thatâs about all I can suggest because disabling firewallD and replacing it with CSF is one of the first things I do when I spin up a server, so I have no experience troubleshooting it.
If you decide to try CSF (Configserver Security and Firewall), note that there is a Webmin module for it.
Yes, you could shut down and disable or remove Firewalld and use the Linux firewall if you prefer. Debian doesnât ship a default firewall like other distros but surely iptables is installed and rules could already be setup on the Linux firewall page in Webmin.
If the Linux firewall page is empty of rules or are messed up, there should be a button toward the bottom that resets to a fresh set of fundamental rules.
The Webmin UI for Firewalld doesnât have that but thereâs a way to reset to defaults at the command line:
firewalld --permanent --reset-to-defaults
Check if the public zone is active.
firewall-cmd --zone=public --list-all
If itâs active see how Firewalld in Webmin works at this point.
If youâre still seeing errors about zones look in /etc/firewalld/zones and make sure public.xml and other default zone files exist. Default zones should have been created when the service started and are updated when new rules are applied. If .xml zone files are missing or messed up you can try replacing them from boilerplate files. (Bear in mind Iâm accustomed to a CentOS directory structure, Debianâs could be different.)
If the public zone shows as active try again in Webmin to apply rules to it.
If you are new to firewalls Richardâs CSF suggestion is a good one. Iâm comfortable with Firewalld and grew to like its zone system. But next time Iâm starting from scratch Iâll be trying CSF and ditching Fail2ban. First thing to know is to install CSF first with Debianâs package manager, then install the Webmin module while itâs running.
Hi, thank you for your answer, this helps a lot! I tried the command firewalld --permanent --reset-to-defaults but I get the error âcommand not foundâ. Then I checked if the xml files under /etc/firewalld/zones exist, and they were missing. So I copied the boilerplate files and used firewall-cmd --reload Then I got the following output:
# firewall-cmd --reload
Error: COMMAND_FAILED: â/usr/sbin/ebtables-restore --noflushâ failed:
line 4: RULE_REPLACE failed (No such file or directory): rule in chain PREROUTING
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain POSTROUTING.
Do you have any idea what I can do to resolve this error? Thanks in advance for your help!
I hope I didnât give you a deprecated command. I copy/pasted from notes going back to 2018. Iâll research it but for now it may not be pertinent anyway.
Since you didnât find public.xml in /etc/firewalld/zones (or the Debian equivalent location) Iâm thinking the service may never have been started or it canât start. Does Webmin or systemctl status firewalld.service show it as running?
public.xml existed, but all the other zones did not. Status is running, but only after restarting the whole server. Wenn I do systemctl restart firewalld it stops, but is unable to start againâŠ
Thatâs a sign something is working. For a basic firewall you need only the public zone. Other zone files wonât be copied automatically by Firewalld until you customize by adding rules to them.
Iâve got an idea but itâs a bit radical. Remove any .xml files in the zone directory and rename firewalld.conf so that it doesnât get parsed. The idea is to clean the slate to see if the service will start clean.
I finally fixed the problem! After some research I found out that iptables 1.8.2 is buggy on Debian Buster. I installed a newer version from buster backports and now it works as it should. I dont know why this is not fixed yet, I had this issue for a long time now. Hopefully in a future Virtualmin will get an integration for nftables.
Thanks for your help!
