FirewallD Webmin page is blank, yet it's running

Webmin
24

SOLVED (I think). Below: how I diagnosed; issues found; potential bugs and room for improvement.

DIAGNOSING

  • As noted above, Webmin uses the equivalent of firewall-cmd --state; echo $? to determine whether firewalld is running and thus configurable.
  • I couldn’t determine what was actually causing my issues. Best way:
    • stop the service (systemctl stop firewalld)
    • manually run it, with debug output directed to a file:
      /usr/sbin/firewalld --nofork --debug=10 >/tmp/dbgout (debug 10 gives a LOT of output)
      NOTE: press ctrl-C after a bit to kill the process. All I wanted was startup messages
  • One by one, I went through the errors found, determined the problem, fixed it, and it went further
  • Once all errors were resolved, firewalld started up properly!
  • IMPORTANT HINT: the errors don’t necessarily relate directly to the symptoms seen. Just solve the errors, and seemingly unrelated problems “resolve themselves”

ISSUES FOUND

  • I was getting complaints that various ports were already configured. But they weren’t! The real problem: a public port enablement of ports 1025-65535. That causes all other port enablements in that range to fail (in Debian 11) but is not an issue in Debian 10.
    • Workaround: I deleted that from /etc/firewalld/zones/public.xml
  • There were several “direct” rules for fail2ban. Not sure where they came from, but I decided to clean everything up… and now it seems to work ok. Haven’t beaten up on reboots and such but I sense it will be ok.
    • The fixes…(after stopping fail2ban)
      • #1: edit /etc/firewalld/direct.xml and remove any rules there
      • #2: edit /etc/fail2ban/jail.local and insert banaction that uses firewalld rather than iptables directly
      banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset

POTENTIAL BUGS, ROOM FOR IMPROVEMENT

  • If Webmin/Virtualmin is creating or allowing massive port ranges… especially overlapping ranges, stop it.
  • Ensure /etc/fail2ban/jail.local by default has the above banaction settings
  • It would help if the firewalld GUI displays any error from firewall-cmd --state including the exit code and a link to the exit code list. Seeing nothing on that page doesn’t tell me much :wink:

Hints for others:

  • if systemctl status firewalld shows ANY errors, go find out what is causing them. Until those are repaired, it will simply not work.
  • Overlapping port ranges is apparently a Big Deal in Debian 11.
1 Like