FirewallD - Invalid Zones

Operating system: Debian
OS version: 10 - Buster

Hi, I just tried to open a port on FirewallD in the Virtualmin webinterface. When I clicked apply, nothing happened. Then I restarted my Server and all my firewall rules are gone. I managed to enter some rules manually, but when I click on FirewallD in the webinterface, I get the following message: " Failed to list zones : Error: INVALID_ZONE"
How can I fix this error? I could not find anything about wich rule is invalid.
Is there a way to get the basic configuration with all the standard rules for Virtualmin back?
Thanks in advance for your help!

Hope this helps

Thank you this helps!
But I can not apply these rules, because I get the “Invalid Zones” error when I want to use FirewallD. Is there a way to detect wich zone is invalid?
Or is it possible to uninstall FirewallD completely and use normal Linux Firewall instead?

If I had to guess, my guess would be that it’s a firewallD error rather than a Webmin error per se.

Try this:

sudo firewall-cmd --get-zones
sudo firewall-cmd --get-active-zones

There may (or may not) be something useful in there.

That’s about all I can suggest because disabling firewallD and replacing it with CSF is one of the first things I do when I spin up a server, so I have no experience troubleshooting it.

If you decide to try CSF (Configserver Security and Firewall), note that there is a Webmin module for it.

Richard

1 Like

Yes, you could shut down and disable or remove Firewalld and use the Linux firewall if you prefer. Debian doesn’t ship a default firewall like other distros but surely iptables is installed and rules could already be setup on the Linux firewall page in Webmin.

If the Linux firewall page is empty of rules or are messed up, there should be a button toward the bottom that resets to a fresh set of fundamental rules.

The Webmin UI for Firewalld doesn’t have that but there’s a way to reset to defaults at the command line:

firewalld --permanent --reset-to-defaults

Check if the public zone is active.

firewall-cmd --zone=public --list-all

If it’s active see how Firewalld in Webmin works at this point.

If you’re still seeing errors about zones look in /etc/firewalld/zones and make sure public.xml and other default zone files exist. Default zones should have been created when the service started and are updated when new rules are applied. If .xml zone files are missing or messed up you can try replacing them from boilerplate files. (Bear in mind I’m accustomed to a CentOS directory structure, Debian’s could be different.)

rm -rf  /etc/firewalld/zones/
cp -r /usr/lib/firewalld/zones  /etc/firewalld/zones

Then try

firewall-cmd --reload
firewall-cmd --zone=public --list-all

If the public zone shows as active try again in Webmin to apply rules to it.

If you are new to firewalls Richard’s CSF suggestion is a good one. I’m comfortable with Firewalld and grew to like its zone system. But next time I’m starting from scratch I’ll be trying CSF and ditching Fail2ban. First thing to know is to install CSF first with Debian’s package manager, then install the Webmin module while it’s running.

1 Like

Hi, thank you for your answer, this helps a lot! I tried the command firewalld --permanent --reset-to-defaults but I get the error “command not found”. Then I checked if the xml files under /etc/firewalld/zones exist, and they were missing. So I copied the boilerplate files and used firewall-cmd --reload Then I got the following output:
# firewall-cmd --reload
Error: COMMAND_FAILED: ‘/usr/sbin/ebtables-restore --noflush’ failed:
line 4: RULE_REPLACE failed (No such file or directory): rule in chain PREROUTING
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain POSTROUTING.

Do you have any idea what I can do to resolve this error? Thanks in advance for your help!

I hope I didn’t give you a deprecated command. I copy/pasted from notes going back to 2018. I’ll research it but for now it may not be pertinent anyway.

Since you didn’t find public.xml in /etc/firewalld/zones (or the Debian equivalent location) I’m thinking the service may never have been started or it can’t start. Does Webmin or systemctl status firewalld.service show it as running?

public.xml existed, but all the other zones did not. Status is running, but only after restarting the whole server. Wenn I do systemctl restart firewalld it stops, but is unable to start again


That’s a sign something is working. For a basic firewall you need only the public zone. Other zone files won’t be copied automatically by Firewalld until you customize by adding rules to them.

I’ve got an idea but it’s a bit radical. Remove any .xml files in the zone directory and rename firewalld.conf so that it doesn’t get parsed. The idea is to clean the slate to see if the service will start clean.

systemctl start firewalld.service

If no errors double check that it’s running.

systemctl status firewalld.service

If it’s running try adding a temporary rule.

firewall-cmd --zone=public --add-service=ftp

If no problems the rule can be made permanent.

firewall-cmd --zone=public --add-service=ftp --permanent

Is there a new public.xml file at this point? If so you should be able to apply other rules to the public zone using Webmin.

If the service won’t start you’ll need to figure out why. Or a less stressful approach may be to purge Firewalld and reinstall it.

I finally fixed the problem! After some research I found out that iptables 1.8.2 is buggy on Debian Buster. I installed a newer version from buster backports and now it works as it should. I dont know why this is not fixed yet, I had this issue for a long time now. Hopefully in a future Virtualmin will get an integration for nftables.
Thanks for your help!

1 Like

Glad it’s working. Thanks for following up, it might help another Debian user and I will know better next time. :wink:

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.