FirewallD Webmin page is blank, yet it's running

Webmin
1

I did in place upgrade debian 10->11
Almost all is well.
main issue at the moment: Firewalld is running, but webmin doesn’t seem to know that… not fully.

  • On the Bootup/Shutdown page, it says the service is active and running
  • But on the FirewallD page, all I have is “Start FirewallD” and “Activate at Boot” - no zones, no other info showing.

Any ideas?

(BTW, I pasted the below. I’m actually running Debian 11. The dashboard hasn’t figured that out.)
UPDATE: A note and button showed up, saying a Debian 11 upgrade was seen, and allowing me to update the detected version :slight_smile:

Operating system Debian Linux 11
Webmin version 2.013
Virtualmin version 7.5
2

and the Virtualmin version is?
and “Start FirewallID” does?
Activate on boot is “Yes”

3

@MrPete,

Did you by chance install UFW which I believe comes with Debian?

4

UPDATE:

  • No UFW is not installed
  • Added Virtualmin version above, and used the (now appearing) “update detected version” button
  • Clicking “Start FirewallD” doesn’t appear to be doing anything. Yes, it’s activate on boot.
  • System->Bootup and Shutdown knows firewwalld.service is active, running, and start on boot

And now I have some hints: something is eating ALL RAM… and the “OOM Killer” is going to work. :frowning:

5

@MrPete,

From the Command Line (CLI), try issuing:

sudo systemctl restart firewalld.service

then

sudo systemctl status firewalld.service

If it’s crashing, or otherwise not starting it should give you a hint as to what’s going on.

6

FURTHER QUESTION, perhaps @tpnsolutions has a hint?

  • The only way I’ve seen to get FirewallD running properly is via iptables-apply /etc/iptables.up.rules
  • But that’s a VERY old (2021) set of rules, probably defaults from long ago.
  • Since the FirewallD GUI isn’t showing up, I’d love to learn where, on Webmin/Virtualmin, the rules are actually stored?
7

Yes, it’s running. It does NOT run properly until I first use iptables-apply to set up the proper set of chains. :frowning:

8

@Joe keeps repeating that the software only manages what’s there, so…

9

@MrPete,

Can you send a screenshot of what you see on the “FirewallD” page in Virtualmin?

10

I assume you mean Webmin :wink:

wmin-fwd
wmin-fwd991×277 13.1 KB

11

@MrPete,

Did you try the commands I sent prior?

12

yes, and I answered. Should have said “firewalld” instead of “it” :wink:

Yes, it’s running. It does NOT run properly until I first use iptables-apply to set up the proper set of chains.

13

Dug in on the firewalld website. Documentation - Configuration - Directories | firewalld has the answer to where firewalld stores configuration:

  • default config is in /usr/lib/firewalld
  • permanent system config is in /etc/firewalld with files that override the defaults.

Now to debug some more…

14

Potential Progress:

  • There’s a semi-new firewalld configuration default, “FlushAllOnReload” which defaults to YES, thus causing all existing chains to be destroyed if firewalld is restarted! IF the permanent config contains everything needed, that’s not a problem.
  • Something is eating a LOT more RAM on this upgrade. I’ve bumped from 7GB to 16GB… we’ll see if that takes care of it :wink:
  • After a reboot, firewalld is NOT rebuilding the supposedly built-in hard-coded iptables chains. That looks like a firewalld issue to me. I’m reaching out to them.

I’m wondering if I can switch to nftables, which is the preferred back end. Hmmm…

15

@MrPete,

Odd, on installation of Virtualmin using the “install script” a default FirewallD “public ruleset” is created, then stored permanently between reboots. Changes when applied are also saved between reboots.

I’ve been looking around to see if there is an easy way to either “import” a ruleset, or otherwise “reset” as the former “iptables” module used to do.

I’ll let you know if I come across anything helpful.

16

@Joe, @Ilia,

Do you know if there is a FirewallD “reset” option like the old “iptables” module? For those cases where someone has accidentally deleted all the rules, or otherwise has an empty ruleset…

17

Virtualmin config system can do basic FirewallD configuration, i.e.::

virtualmin-config-system -i Fail2banFirewalld

Although, I’m not sure if that could fix a broken FirewallD instance. If you don’t want to invest time into digging deep to something that may be someone else’s bug, simply try apt-get purge firewalld package, then reinstall it and then run the command mentioned above to run basic FirewallD configuration.

1 Like
18

@tpnsolutions , @Ilia – thanks all.

More progress. Turns out part of the problem is a bug installed into fail2ban and not fixed until after Debian 11 – see link below.

  • f2b actually doesn’t support nftables
  • someone inserted code impacting all multiport rules, converting ‘:’ to ‘-’ – apparently nft likes - and not colon?!! … reverted but damage done.
  • I’ve manually patched my copy to match the fix in the link, and switched again to iptables. We’ll see how this goes…
19

I had some time today so I started playing with this too. I upgraded to 11 before installing Virtualmin. Firewalld isn’t following the documentation on their site. I freaked a little when it didn’t show the default public zone, but I knew fail2ban appeared to be working. Anyhow, just looked at nftables and it’s there.

20

are you using nftables or iptables? Debian defaults to nftables.

Yes, fail2ban will appear to be working. It all depends on which and how many filters (“filter action jails”) you have activated. I’ve got quite a few (dovecot, postfix, postfix-sasl, sshd, proftpd, webmin-auth)

It will break due to the bug I noted above. And it does NOT properly support nftables – requires iptables to do “direct” ipset management. I’ve got thousands of IP’s blocked at any given time.

I’m about to document my bottom line problem below. VERY curious if your “clean” install works correctly! And also if it would still work if switched to iptables…