yep seems so, thanks

http://svnweb.mageia.org/soft/drakx-net/trunk/lib/network/drakfirewall.pm?r1=3614&r2=3626

Keywords: (none) => Junior_job
CC: (none) => mageia, thierry.vignaud
Source RPM: ? => mandi-ifw drakx-net

works fine now

Status: NEW => RESOLVED
Resolution: (none) => FIXED

*** Bug 10392 has been marked as a duplicate of this bug. ***

CC: (none) => pkreuzt

Problem still present in libdrakx-net-1.24-1.mga3

Log contains messages
WARNING: The state match is obsolete. Use conntrack instead.

and interactive firewall is non functional.

Status: RESOLVED => REOPENED
CC: (none) => derekjenn
Resolution: FIXED => (none)

Created attachment 4109 [details]
Patch for Interactive Firewall

Patch to use 'conntrack' instead of obsolete 'state'  in iptables

Works for me, but requires attachment 4108 [details] from Bug 9941 to be installed as well  or else drakfirewall fails during configuration.

Blino, WDYT?

I am seeing this message on my Mageia 3 32-bit server kernel as well.  This is preventing me from accessing port 49040 from outside my VM (even from as nearby as the host).  SSH and ping work though.  Just not this higher port.  Please inform me of any workaround.

I really do get these messages, but it turns out they have nothing to do with accessing that port.  (The problem was my /etc/hosts file.)

But note that this is also happening on 32 bit Mageia.

This bug prevents the firewall from starting, so it will not prevent accessing any ports.

The workaround is to apply the patch in attachment 4109 [details], but if you wait a couple of days I will package it up as an update.

yes, I figured that out.  See comment 8 -- it was my hosts file, not the fw at all.

 mandi-1.3-1.mga3 and drakx-net-1.25-1.mga3 are in Mga3 core/updates_testing

The two packages together resolve Bug 8225, and drakx-net-1.25-1.mga3 also resolves Bug 157. The test procedure for both bugs is shown here.

SRPMS
----
mandi-1.3-1.mga3.src.rpm
drakx-net-1.25-1.mga3.src.rpm

RPMS
----
mandi-1.3-1.mga3.i586.rpm
mandi-ifw-1.3-1.mga3.i586.rpm
mandi-1.3-1.mga3.x86_64.rpm
mandi-ifw-1.3-1.mga3.x86_64.rpm
drakx-net-1.25-1.mga3.noarch.rpm
drakx-net-applet-1.25-1.mga3.noarch.rpm
drakx-net-text-1.25-1.mga3.noarch.rpm
libdrakx-net-1.25-1.mga3.noarch.rpm


Advisory
--------
This is a bug fix update to the firewall in Mageia 3 that prevented the interactive firewall option from working. (mga#8225)
In addition it fixes a bug in the mageia network monitor applet to allow network monitoring without manually downloading the net_monitor package. (mga#157)

Test Procedure
--------------
Bug 157
1/ Before updating drakx-net ensure that the package net_monitor is not installed.
Right click on the Mageia network applet and select 'Monitor Network'  Observe that nothing happens.

2/ Upgrade drakx-net to drakx-net-1.25-1 Log out and back in again to ensure you are using the updated applet. Repeat the test. A window should appear asking for root password, and then the net_monitor package will be automatically installed and a monitor window will appear.

3/ Uninstall net_monitor, and then repeat this time left clicking on the applet, and select the Monitor button on the interface.

Bug 8225
1/ Before upgrading drakx-net and mandi go through the drakfirewall wizard in Mageia Control Centre, and when prompted select the interactive firewall option.
Check the status of the firewall with the command
# systemctl status shorewall

Observe the message

WARNING: The state match is obsolete. Use conntrack instead.

2/ Upgrade mandi and drakx-net and reboot to ensure you are using the updated applet and daemon.
Restart shorewall and check its status with
# systemctl restart shorewall
# systemctl status shorewall

Observe there is no warning message

3/ Test the interactive firewall from another computer using for example telnet.
From the remote computer 
telnet <ip address>  The command will hang and there will be no output.
Right click on the network applet and select the Interactive firewall window
Note you see the attempted telnet access listed.

Note: the interactive firewall only logs an access from a partular ip/port once, so if you repeat the test you will not see it again until the next session.

Status: REOPENED => ASSIGNED
Hardware: x86_64 => All
Assignee: derekjenn => qa-bugs

Nicely done, thanks Derek and congratulations on your graduation :)

Advisory 8225.adv uploaded to svn.

CC: (none) => davidwhodgins

Testing mga3 64

Cinfirmed bug 157 fixed.

To save having to log out and in again you can 
$ killall net_applet && net_applet &

There is still one conntrack warning Derek, there was two before so it's an improvement but bug 8225 (this one) is not yet fully fixed.

WARNING: The state match is obsolete. Use conntrack instead.

Whiteboard: has_procedure => has_procedure feedback

Testing complete mga3_64, ok for me 

for Bug 157

before:
Uninstall net_monitor and right click on the Mageia network applet and select 'Monitor Network', nothing happens.

After:
right click on the Mageia network applet and select 'Monitor Network',net_monitor is automatically installed after the root privileges. 

#########################################################################
for Bug 8225

before:
# shorewall restart
Compiling...
...etc
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Processing /etc/shorewall/start ...
WARNING: The state match is obsolete. Use conntrack instead.
Processing /etc/shorewall/started ...
done.

# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
...etc
May 19 18:00:23 david.david shorewall[2811]: Processing /etc/shorewall/start ...
May 19 18:00:23 david.david shorewall[2811]: WARNING: The state match is obsolete. Use conntrack instead.
May 19 18:00:23 david.david shorewall[2811]: Processing /etc/shorewall/started ...
May 19 18:00:23 david.david shorewall[2811]: done.
May 19 18:00:23 david.david systemd[1]: Started Shorewall IPv4 firewall.

after:
# shorewall restart
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/tcrules...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
Processing /etc/shorewall/start ...
ipset v6.16.1: Set cannot be created: set with the same name already exists
ipset v6.16.1: Set cannot be created: set with the same name already exists
Processing /etc/shorewall/started ...
done.

# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/usr/lib/systemd/system/shorewall.service; disabled)
          Active: active (exited) since Thu, 2013-08-22 16:34:20 CEST; 23s ago
         Process: 4820 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/shorewall.service

Aug 22 16:34:20 david.david shorewall[4820]: Shorewall is already running
Aug 22 16:34:20 david.david systemd[1]: Started Shorewall IPv4 firewall.

CC: (none) => geiger.david68210

Testing compelte mga3_32, ok for me :

Bug 157 and Bug 8225 confirmed fixed


for Bug 157

before:
Uninstall net_monitor and right click on the Mageia network applet and select 'Monitor Network', nothing happens.

After:
right click on the Mageia network applet and select 'Monitor Network',net_monitor is automatically installed after the root privileges. 

#########################################################################
for Bug 8225

before:
# shorewall restart
Compiling...
Processing /etc/shorewall/params ...
...etc
Processing /etc/shorewall/start ...
WARNING: The state match is obsolete. Use conntrack instead.
Processing /etc/shorewall/started ...
done.

after:
# shorewall restart
Compiling...
Processing /etc/shorewall/params ...
...etc
Processing /etc/shorewall/start ...
ipset v6.16.1: Set cannot be created: set with the same name already exists
ipset v6.16.1: Set cannot be created: set with the same name already exists
Processing /etc/shorewall/started ...
done.

# systemctl status shorewall
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/usr/lib/systemd/system/shorewall.service; disabled)
          Active: active (exited) since Thu, 2013-08-22 16:52:28 CEST; 35s ago
         Process: 3110 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/shorewall.service

Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/tcclear ...
Aug 22 16:52:28 localhost shorewall[3110]: Setting up Route Filtering...
Aug 22 16:52:28 localhost shorewall[3110]: Setting up Martian Logging...
Aug 22 16:52:28 localhost shorewall[3110]: Setting up Proxy ARP...
Aug 22 16:52:28 localhost shorewall[3110]: Preparing iptables-restore input...
Aug 22 16:52:28 localhost shorewall[3110]: Running /sbin/iptables-restore...
Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/start ...
Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/started ...
Aug 22 16:52:28 localhost shorewall[3110]: done.
Aug 22 16:52:28 localhost systemd[1]: Started Shorewall IPv4 firewall.

Are you restarting shorewall with 'shorewall restart' or one of 'service shorewall restart' or 'systemctl restart shorewall.service' David?

For me..

# service shorewall restart
Redirecting to /bin/systemctl restart shorewall.service

# service shorewall status
Redirecting to /bin/systemctl status shorewall.service
shorewall.service - Shorewall IPv4 firewall
          Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled)
          Active: active (exited) since Thu, 2013-08-22 16:05:49 BST; 3s ago
         Process: 14208 ExecStop=/usr/sbin/shorewall $OPTIONS stop (code=exited, status=0/SUCCESS)
         Process: 14279 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/shorewall.service

shorewall[14279]: Processing /etc/shorewall/tcclear ...
shorewall[14279]: Setting up Route Filtering...
shorewall[14279]: Setting up Martian Logging...
shorewall[14279]: Setting up Proxy ARP...
shorewall[14279]: Preparing iptables-restore input...
shorewall[14279]: Running /sbin/iptables-restore...
shorewall[14279]: Processing /etc/shorewall/start ...
shorewall[14279]: WARNING: The state match is obsolete. Use conntrack instead.
shorewall[14279]: Processing /etc/shorewall/started ...
shorewall[14279]: done.
systemd[1]: Started Shorewall IPv4 firewall.

I've even installed conntrack-tools in case it's missing something and rebooted.

Claire I used command 'shorwall restart'

Thanks Claire.

It is working for me. I think I left out the important instruction to run through the firewall GUI again after upgrading.  Perhaps a note should be added to the advisory advising people to run through the GUI to ensure their computers are protected?

Also my testing instructions need some clarification. (I was in a hurry)
The interactive firewall only displays a hit when a New connection is made to one of the services running on the computer and selected in the firewall GUI to be monitored by the interactive firewall. So telnet was a bad choice to use for testing. A better choice is ssh or http since testers might actually have those servers running.

So revised testing instructions for Bug 8225 are


Bug 8225
1/ Before upgrading drakx-net and mandi go through the drakfirewall wizard in Mageia Control Centre, and when prompted select the interactive firewall option.
Check the status of the firewall with the command
# shorewall restart

Observe the messages

WARNING: The state match is obsolete. Use conntrack instead.

2/ Upgrade mandi and drakx-net and reboot to ensure you are using the updated applet and daemon.
Run through the mageia firewall GUI again.
Restart shorewall and check its status with
# shorewall restart

Observe there is no warning message

3/ Test the interactive firewall from another computer. The interactive firewall only displays NEW connections to services which are running on the computer and have been selected to be monitored by the interactive firewall in the drakfirewall wizard. For example test with ssh

Right click on the network applet and select the Interactive firewall window.
From the remote computer ssh to the test computer, and observe you see the connection listed in the interactive firewall display.

Note: the interactive firewall only logs an access from a particular ip/port ONCE, so if you repeat the test you will not see it again until the next session, or you give the command
service mandi restart

Ahh yes, indeed. After reconfiguring the firewall in mcc it's ok.

Maybe should have a README.update.urpmi

Claire
Better to use 'shorewall restart'  to monitor the status of shorewall.
systemctl always gives you the last few log lines for the service which may include error lines from the previous run.

ok, that wasn't the case here though but stored for future reference, thanks.

(In reply to claire robinson from comment #20)
> Ahh yes, indeed. After reconfiguring the firewall in mcc it's ok.
> 
> Maybe should have a README.update.urpmi


Hmm  Maybe I should put in a post install scriptlet to modify users existing configurations to the new format. It is just a matter of looking at the contents of /etc/ifw/rules and replacing some text.

Anyone who currently has Interactive firewall configured and does not run through the firewall GUI after upgrading this package, or after upgrading to mga4 will continue to have a non functioning firewall.

I will give you a new version of mandi-ifw shortly.

Assignee: qa-bugs => derekjenn

Ok mandi-1.3-1.1.mga3 and mandi-ifw-1.3-1.1.mga3  are in core/updates_testing

advisory and test procedure is unchanged.

On upgrading mandi-ifw it will convert the contents of /etc/ifw/rules to the new format. shorewall reads this file when it starts.

Assignee: derekjenn => qa-bugs

Thanks Derek

Whiteboard: has_procedure feedback => has_procedure

Advisory 8225.adv updated in svn for new mandi srpm release number.

Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 8225.adv to updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGAA-2013-0110.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED