I did in place upgrade debian 10->11
Almost all is well.
main issue at the moment: Firewalld is running, but webmin doesn’t seem to know that… not fully.
On the Bootup/Shutdown page, it says the service is active and running
But on the FirewallD page, all I have is “Start FirewallD” and “Activate at Boot” - no zones, no other info showing.
Any ideas?
(BTW, I pasted the below. I’m actually running Debian 11. The dashboard hasn’t figured that out.) UPDATE: A note and button showed up, saying a Debian 11 upgrade was seen, and allowing me to update the detected version
There’s a semi-new firewalld configuration default, “FlushAllOnReload” which defaults to YES, thus causing all existing chains to be destroyed if firewalld is restarted! IF the permanent config contains everything needed, that’s not a problem.
Something is eating a LOT more RAM on this upgrade. I’ve bumped from 7GB to 16GB… we’ll see if that takes care of it
After a reboot, firewalld is NOT rebuilding the supposedly built-in hard-coded iptables chains. That looks like a firewalld issue to me. I’m reaching out to them.
I’m wondering if I can switch to nftables, which is the preferred back end. Hmmm…
Odd, on installation of Virtualmin using the “install script” a default FirewallD “public ruleset” is created, then stored permanently between reboots. Changes when applied are also saved between reboots.
I’ve been looking around to see if there is an easy way to either “import” a ruleset, or otherwise “reset” as the former “iptables” module used to do.
I’ll let you know if I come across anything helpful.
Do you know if there is a FirewallD “reset” option like the old “iptables” module? For those cases where someone has accidentally deleted all the rules, or otherwise has an empty ruleset…
Virtualmin config system can do basic FirewallD configuration, i.e.::
virtualmin-config-system -i Fail2banFirewalld
Although, I’m not sure if that could fix a broken FirewallD instance. If you don’t want to invest time into digging deep to something that may be someone else’s bug, simply try apt-get purge firewalld package, then reinstall it and then run the command mentioned above to run basic FirewallD configuration.
I had some time today so I started playing with this too. I upgraded to 11 before installing Virtualmin. Firewalld isn’t following the documentation on their site. I freaked a little when it didn’t show the default public zone, but I knew fail2ban appeared to be working. Anyhow, just looked at nftables and it’s there.
are you using nftables or iptables? Debian defaults to nftables.
Yes, fail2ban will appear to be working. It all depends on which and how many filters (“filter action jails”) you have activated. I’ve got quite a few (dovecot, postfix, postfix-sasl, sshd, proftpd, webmin-auth)
It will break due to the bug I noted above. And it does NOT properly support nftables – requires iptables to do “direct” ipset management. I’ve got thousands of IP’s blocked at any given time.
I’m about to document my bottom line problem below. VERY curious if your “clean” install works correctly! And also if it would still work if switched to iptables…