Run as root "shorewall restart" or look in log /var/log/shorewall-init.log: ... lis 27 15:36:09 Processing /etc/shorewall/start ... WARNING: The state match is obsolete. Use conntrack instead. WARNING: The state match is obsolete. Use conntrack instead. WARNING: The state match is obsolete. Use conntrack instead. WARNING: The state match is obsolete. Use conntrack instead. WARNING: The state match is obsolete. Use conntrack instead. WARNING: The state match is obsolete. Use conntrack instead. lis 27 15:36:09 Processing /etc/shorewall/started ... lis 27 15:36:09 done ... I found that: "Under iptables-1.4.16.2 the firewall script warns "WARNING: The state match is obsolete. Use conntrack instead.". The "Setting Up a Network Firewall" page needs to replace "state --state" with "conntrack --ctstate" in all of the scripts." Rpm: iptables-1.4.16.3-1.mga3 The files include "state --state" are /etc/ifw/rules.d/psd (mandi-ifw-1.2-1.mga2 -> mandi-1.2-1.mga2.src.rpm) and /etc/ifw/rules (I have this file, but I can't find sources. Maybe drakfirewall?).
CC: (none) => chmielu1_a
CC: chmielu1_a => (none)
yep seems so, thanks http://svnweb.mageia.org/soft/drakx-net/trunk/lib/network/drakfirewall.pm?r1=3614&r2=3626
Keywords: (none) => Junior_jobCC: (none) => mageia, thierry.vignaudSource RPM: ? => mandi-ifw drakx-net
CC: (none) => remco
works fine now
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 10392 has been marked as a duplicate of this bug. ***
CC: (none) => pkreuzt
Problem still present in libdrakx-net-1.24-1.mga3 Log contains messages WARNING: The state match is obsolete. Use conntrack instead. and interactive firewall is non functional.
Status: RESOLVED => REOPENEDCC: (none) => derekjennResolution: FIXED => (none)
Created attachment 4109 [details] Patch for Interactive Firewall Patch to use 'conntrack' instead of obsolete 'state' in iptables Works for me, but requires attachment 4108 [details] from Bug 9941 to be installed as well or else drakfirewall fails during configuration.
Keywords: (none) => PATCH
Blino, WDYT?
CC: (none) => jani.valimaaAssignee: bugsquad => derekjenn
CC: (none) => bozonius
I am seeing this message on my Mageia 3 32-bit server kernel as well. This is preventing me from accessing port 49040 from outside my VM (even from as nearby as the host). SSH and ping work though. Just not this higher port. Please inform me of any workaround.
I really do get these messages, but it turns out they have nothing to do with accessing that port. (The problem was my /etc/hosts file.) But note that this is also happening on 32 bit Mageia.
This bug prevents the firewall from starting, so it will not prevent accessing any ports. The workaround is to apply the patch in attachment 4109 [details], but if you wait a couple of days I will package it up as an update.
Blocks: (none) => 157
yes, I figured that out. See comment 8 -- it was my hosts file, not the fw at all.
mandi-1.3-1.mga3 and drakx-net-1.25-1.mga3 are in Mga3 core/updates_testing The two packages together resolve Bug 8225, and drakx-net-1.25-1.mga3 also resolves Bug 157. The test procedure for both bugs is shown here. SRPMS ---- mandi-1.3-1.mga3.src.rpm drakx-net-1.25-1.mga3.src.rpm RPMS ---- mandi-1.3-1.mga3.i586.rpm mandi-ifw-1.3-1.mga3.i586.rpm mandi-1.3-1.mga3.x86_64.rpm mandi-ifw-1.3-1.mga3.x86_64.rpm drakx-net-1.25-1.mga3.noarch.rpm drakx-net-applet-1.25-1.mga3.noarch.rpm drakx-net-text-1.25-1.mga3.noarch.rpm libdrakx-net-1.25-1.mga3.noarch.rpm Advisory -------- This is a bug fix update to the firewall in Mageia 3 that prevented the interactive firewall option from working. (mga#8225) In addition it fixes a bug in the mageia network monitor applet to allow network monitoring without manually downloading the net_monitor package. (mga#157) Test Procedure -------------- Bug 157 1/ Before updating drakx-net ensure that the package net_monitor is not installed. Right click on the Mageia network applet and select 'Monitor Network' Observe that nothing happens. 2/ Upgrade drakx-net to drakx-net-1.25-1 Log out and back in again to ensure you are using the updated applet. Repeat the test. A window should appear asking for root password, and then the net_monitor package will be automatically installed and a monitor window will appear. 3/ Uninstall net_monitor, and then repeat this time left clicking on the applet, and select the Monitor button on the interface. Bug 8225 1/ Before upgrading drakx-net and mandi go through the drakfirewall wizard in Mageia Control Centre, and when prompted select the interactive firewall option. Check the status of the firewall with the command # systemctl status shorewall Observe the message WARNING: The state match is obsolete. Use conntrack instead. 2/ Upgrade mandi and drakx-net and reboot to ensure you are using the updated applet and daemon. Restart shorewall and check its status with # systemctl restart shorewall # systemctl status shorewall Observe there is no warning message 3/ Test the interactive firewall from another computer using for example telnet. From the remote computer telnet <ip address> The command will hang and there will be no output. Right click on the network applet and select the Interactive firewall window Note you see the attempted telnet access listed. Note: the interactive firewall only logs an access from a partular ip/port once, so if you repeat the test you will not see it again until the next session.
Status: REOPENED => ASSIGNEDHardware: x86_64 => AllAssignee: derekjenn => qa-bugs
Nicely done, thanks Derek and congratulations on your graduation :)
Version: Cauldron => 3
Whiteboard: (none) => has_procedure
Advisory 8225.adv uploaded to svn.
CC: (none) => davidwhodgins
Testing mga3 64 Cinfirmed bug 157 fixed. To save having to log out and in again you can $ killall net_applet && net_applet & There is still one conntrack warning Derek, there was two before so it's an improvement but bug 8225 (this one) is not yet fully fixed. WARNING: The state match is obsolete. Use conntrack instead.
Whiteboard: has_procedure => has_procedure feedback
Testing complete mga3_64, ok for me for Bug 157 before: Uninstall net_monitor and right click on the Mageia network applet and select 'Monitor Network', nothing happens. After: right click on the Mageia network applet and select 'Monitor Network',net_monitor is automatically installed after the root privileges. ######################################################################### for Bug 8225 before: # shorewall restart Compiling... ...etc Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Processing /etc/shorewall/start ... WARNING: The state match is obsolete. Use conntrack instead. Processing /etc/shorewall/started ... done. # systemctl status shorewall shorewall.service - Shorewall IPv4 firewall ...etc May 19 18:00:23 david.david shorewall[2811]: Processing /etc/shorewall/start ... May 19 18:00:23 david.david shorewall[2811]: WARNING: The state match is obsolete. Use conntrack instead. May 19 18:00:23 david.david shorewall[2811]: Processing /etc/shorewall/started ... May 19 18:00:23 david.david shorewall[2811]: done. May 19 18:00:23 david.david systemd[1]: Started Shorewall IPv4 firewall. after: # shorewall restart Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling /etc/shorewall/tcrules... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... Processing /etc/shorewall/start ... ipset v6.16.1: Set cannot be created: set with the same name already exists ipset v6.16.1: Set cannot be created: set with the same name already exists Processing /etc/shorewall/started ... done. # systemctl status shorewall shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; disabled) Active: active (exited) since Thu, 2013-08-22 16:34:20 CEST; 23s ago Process: 4820 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/shorewall.service Aug 22 16:34:20 david.david shorewall[4820]: Shorewall is already running Aug 22 16:34:20 david.david systemd[1]: Started Shorewall IPv4 firewall.
CC: (none) => geiger.david68210
Testing compelte mga3_32, ok for me : Bug 157 and Bug 8225 confirmed fixed for Bug 157 before: Uninstall net_monitor and right click on the Mageia network applet and select 'Monitor Network', nothing happens. After: right click on the Mageia network applet and select 'Monitor Network',net_monitor is automatically installed after the root privileges. ######################################################################### for Bug 8225 before: # shorewall restart Compiling... Processing /etc/shorewall/params ... ...etc Processing /etc/shorewall/start ... WARNING: The state match is obsolete. Use conntrack instead. Processing /etc/shorewall/started ... done. after: # shorewall restart Compiling... Processing /etc/shorewall/params ... ...etc Processing /etc/shorewall/start ... ipset v6.16.1: Set cannot be created: set with the same name already exists ipset v6.16.1: Set cannot be created: set with the same name already exists Processing /etc/shorewall/started ... done. # systemctl status shorewall shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; disabled) Active: active (exited) since Thu, 2013-08-22 16:52:28 CEST; 35s ago Process: 3110 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/shorewall.service Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/tcclear ... Aug 22 16:52:28 localhost shorewall[3110]: Setting up Route Filtering... Aug 22 16:52:28 localhost shorewall[3110]: Setting up Martian Logging... Aug 22 16:52:28 localhost shorewall[3110]: Setting up Proxy ARP... Aug 22 16:52:28 localhost shorewall[3110]: Preparing iptables-restore input... Aug 22 16:52:28 localhost shorewall[3110]: Running /sbin/iptables-restore... Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/start ... Aug 22 16:52:28 localhost shorewall[3110]: Processing /etc/shorewall/started ... Aug 22 16:52:28 localhost shorewall[3110]: done. Aug 22 16:52:28 localhost systemd[1]: Started Shorewall IPv4 firewall.
Are you restarting shorewall with 'shorewall restart' or one of 'service shorewall restart' or 'systemctl restart shorewall.service' David? For me.. # service shorewall restart Redirecting to /bin/systemctl restart shorewall.service # service shorewall status Redirecting to /bin/systemctl status shorewall.service shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled) Active: active (exited) since Thu, 2013-08-22 16:05:49 BST; 3s ago Process: 14208 ExecStop=/usr/sbin/shorewall $OPTIONS stop (code=exited, status=0/SUCCESS) Process: 14279 ExecStart=/usr/sbin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/shorewall.service shorewall[14279]: Processing /etc/shorewall/tcclear ... shorewall[14279]: Setting up Route Filtering... shorewall[14279]: Setting up Martian Logging... shorewall[14279]: Setting up Proxy ARP... shorewall[14279]: Preparing iptables-restore input... shorewall[14279]: Running /sbin/iptables-restore... shorewall[14279]: Processing /etc/shorewall/start ... shorewall[14279]: WARNING: The state match is obsolete. Use conntrack instead. shorewall[14279]: Processing /etc/shorewall/started ... shorewall[14279]: done. systemd[1]: Started Shorewall IPv4 firewall. I've even installed conntrack-tools in case it's missing something and rebooted.
Claire I used command 'shorwall restart'
Thanks Claire. It is working for me. I think I left out the important instruction to run through the firewall GUI again after upgrading. Perhaps a note should be added to the advisory advising people to run through the GUI to ensure their computers are protected? Also my testing instructions need some clarification. (I was in a hurry) The interactive firewall only displays a hit when a New connection is made to one of the services running on the computer and selected in the firewall GUI to be monitored by the interactive firewall. So telnet was a bad choice to use for testing. A better choice is ssh or http since testers might actually have those servers running. So revised testing instructions for Bug 8225 are Bug 8225 1/ Before upgrading drakx-net and mandi go through the drakfirewall wizard in Mageia Control Centre, and when prompted select the interactive firewall option. Check the status of the firewall with the command # shorewall restart Observe the messages WARNING: The state match is obsolete. Use conntrack instead. 2/ Upgrade mandi and drakx-net and reboot to ensure you are using the updated applet and daemon. Run through the mageia firewall GUI again. Restart shorewall and check its status with # shorewall restart Observe there is no warning message 3/ Test the interactive firewall from another computer. The interactive firewall only displays NEW connections to services which are running on the computer and have been selected to be monitored by the interactive firewall in the drakfirewall wizard. For example test with ssh Right click on the network applet and select the Interactive firewall window. From the remote computer ssh to the test computer, and observe you see the connection listed in the interactive firewall display. Note: the interactive firewall only logs an access from a particular ip/port ONCE, so if you repeat the test you will not see it again until the next session, or you give the command service mandi restart
Ahh yes, indeed. After reconfiguring the firewall in mcc it's ok. Maybe should have a README.update.urpmi
Claire Better to use 'shorewall restart' to monitor the status of shorewall. systemctl always gives you the last few log lines for the service which may include error lines from the previous run.
ok, that wasn't the case here though but stored for future reference, thanks.
(In reply to claire robinson from comment #20) > Ahh yes, indeed. After reconfiguring the firewall in mcc it's ok. > > Maybe should have a README.update.urpmi Hmm Maybe I should put in a post install scriptlet to modify users existing configurations to the new format. It is just a matter of looking at the contents of /etc/ifw/rules and replacing some text. Anyone who currently has Interactive firewall configured and does not run through the firewall GUI after upgrading this package, or after upgrading to mga4 will continue to have a non functioning firewall. I will give you a new version of mandi-ifw shortly.
Assignee: qa-bugs => derekjenn
Ok mandi-1.3-1.1.mga3 and mandi-ifw-1.3-1.1.mga3 are in core/updates_testing advisory and test procedure is unchanged. On upgrading mandi-ifw it will convert the contents of /etc/ifw/rules to the new format. shorewall reads this file when it starts.
Assignee: derekjenn => qa-bugs
Thanks Derek
Whiteboard: has_procedure feedback => has_procedure
Advisory 8225.adv updated in svn for new mandi srpm release number.
Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 8225.adv to updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGAA-2013-0110.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED