Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#983203: [firewalld] error - invalid ipset sshguard4
828 views
Skip to first unread message
Lyndon Brown
Feb 20, 2021, 9:20:03 PM2/20/21
to
Package: firewalld
Version: 0.9.3-2
Severity: important
I'm experiencing problems on a Sid system with firewalld and sshguard - firewalld does
not seem happy with the sshguard config for some reason.
I set things up for sshguard a while ago and today happened to notice a problem when trying to
add a temporary firewall rule while playing around with DLNA which resulted in an error...
`firewall-cmd --add-port=1900/udp` gave:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 1900}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
Checking `systemctl status firewalld` led to the discovery that firewalld did not seem
happy with the existing permanent sshguard config, which had been added with the following
commands (per sshguard setup instructions):
1. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard4 drop"
2. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard6 drop"
`firewall-cmd --info-ipset=sshguard4` gives:
Error: INVALID_IPSET: sshguard4
`firewall-cmd --state` gives:
failed
`systemctl status firewalld` gives:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-02-21 00:44:38 GMT; 34min ago
Docs: man:firewalld(1)
Main PID: 1973 (firewalld)
Tasks: 2 (limit: 4636)
Memory: 25.1M
CPU: 1.328s
CGroup: /system.slice/firewalld.service
└─1973 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Feb 21 00:44:37 debian systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 21 00:44:38 debian systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 21 00:44:38 debian firewalld[1973]: ERROR: INVALID_IPSET: sshguard4
Feb 21 00:44:38 debian firewalld[1973]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
Feb 21 00:44:38 debian firewalld[1973]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
If I remove the sshguard4 & sshguard6 rich rules and reload firewalld, then it's happy. The
errors just reported in the status output all disappear; the state switches to running; the
temporary DLNA rule gets successfully added. Re-adding the sshguard rules causes the problems
to reappear.
Version: 0.9.3-2
Severity: important
I'm experiencing problems on a Sid system with firewalld and sshguard - firewalld does
not seem happy with the sshguard config for some reason.
I set things up for sshguard a while ago and today happened to notice a problem when trying to
add a temporary firewall rule while playing around with DLNA which resulted in an error...
`firewall-cmd --add-port=1900/udp` gave:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 1900}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}
Checking `systemctl status firewalld` led to the discovery that firewalld did not seem
happy with the existing permanent sshguard config, which had been added with the following
commands (per sshguard setup instructions):
1. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard4 drop"
2. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard6 drop"
`firewall-cmd --info-ipset=sshguard4` gives:
Error: INVALID_IPSET: sshguard4
`firewall-cmd --state` gives:
failed
`systemctl status firewalld` gives:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-02-21 00:44:38 GMT; 34min ago
Docs: man:firewalld(1)
Main PID: 1973 (firewalld)
Tasks: 2 (limit: 4636)
Memory: 25.1M
CPU: 1.328s
CGroup: /system.slice/firewalld.service
└─1973 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Feb 21 00:44:37 debian systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 21 00:44:38 debian systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 21 00:44:38 debian firewalld[1973]: ERROR: INVALID_IPSET: sshguard4
Feb 21 00:44:38 debian firewalld[1973]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
Feb 21 00:44:38 debian firewalld[1973]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
If I remove the sshguard4 & sshguard6 rich rules and reload firewalld, then it's happy. The
errors just reported in the status output all disappear; the state switches to running; the
temporary DLNA rule gets successfully added. Re-adding the sshguard rules causes the problems
to reappear.
Michael Biebl
Feb 21, 2021, 2:10:03 PM2/21/21
to
Control: tags -1 + moreinfo
Am 21.02.21 um 03:14 schrieb Lyndon Brown:
Is that another firewall?
Does it install iptables / nftables rules (which might clash with
firewalld).
What exactly do you mean with "sshguard config"?
Am 21.02.21 um 03:14 schrieb Lyndon Brown:
> Package: firewalld
> Version: 0.9.3-2
> Severity: important
>
> I'm experiencing problems on a Sid system with firewalld and sshguard - firewalld does
> not seem happy with the sshguard config for some reason.
>
Unfortunately I have no idea what sshguard is.
> Version: 0.9.3-2
> Severity: important
>
> I'm experiencing problems on a Sid system with firewalld and sshguard - firewalld does
> not seem happy with the sshguard config for some reason.
>
Is that another firewall?
Does it install iptables / nftables rules (which might clash with
firewalld).
What exactly do you mean with "sshguard config"?
Michael Biebl
Feb 21, 2021, 2:20:03 PM2/21/21
to
Control: reassign -1 sshguard
Am 21.02.21 um 20:01 schrieb Michael Biebl:
After looking at the package description, I think this is a sshguard issue.
Looking at the git log of sshguard, maybe upgrading to a newer sshguard
version helps.
It has commits like
https://bitbucket.org/sshguard/sshguard/commits/5927e696a8f0bc323f66d1edcce1365a70972320
which look related.
Dear sshguard maintainer, if you think this is a genuine firewalld bug,
please reassign back.
Regards,
Michael
Am 21.02.21 um 20:01 schrieb Michael Biebl:
Looking at the git log of sshguard, maybe upgrading to a newer sshguard
version helps.
It has commits like
https://bitbucket.org/sshguard/sshguard/commits/5927e696a8f0bc323f66d1edcce1365a70972320
which look related.
Dear sshguard maintainer, if you think this is a genuine firewalld bug,
please reassign back.
Regards,
Michael
Lyndon Brown
Feb 21, 2021, 3:40:03 PM2/21/21
to
On Sun, 2021-02-21 at 20:01 +0100, Michael Biebl wrote:
> Unfortunately I have no idea what sshguard is.
> Is that another firewall?
I expect you've found out yourself by now, but fwiw, sshguard adds
> Unfortunately I have no idea what sshguard is.
> Is that another firewall?
brute-force protection to ssh. It analyses log files for signs of brute
force attempts and updates firewall rules to block connections as
appropriate.
> Does it install iptables / nftables rules (which might clash with
> firewalld).
firewalld involves adding a couple of rich-rules as below. I do not
know what sshguard specifically does internally to make things work,
but some part of this setup, presumably with the switch to nftables, is
clearly broken.
> What exactly do you mean with "sshguard config"?
essentially this:
1. # firewall-cmd --zone=zone-name --permanent --add-rich-rule="rule source ipset=sshguard4 drop"
2. # firewall-cmd --zone=zone-name --permanent --add-rich-rule="rule source ipset=sshguard6 drop"
[1]:
https://manpages.debian.org/testing/sshguard/sshguard-setup.7.en.html
[2]: https://wiki.archlinux.org/index.php/Sshguard
On Sun, 2021-02-21 at 20:10 +0100, Michael Biebl wrote:
> After looking at the package description, I think this is a sshguard
> issue.
> Looking at the git log of sshguard, maybe upgrading to a newer
> sshguard
> version helps.
> It has commits like
>
> https://bitbucket.org/sshguard/sshguard/commits/5927e696a8f0bc323f66d1edcce1365a70972320
> which look related.
good to test a newer version of sshguard with those changes to see if
that resolves it. I was too exhausted yesterday to think about looking
at sshguard developments; sorry about that.
Chris Hofstaedtler
Apr 2, 2021, 8:20:03 PM4/2/21
to
Control: severity -1 important
* Lyndon Brown <jnq...@gmail.com> [210308 22:09]:
> # set severity to grave since it appears that the package is completely
> # broken currently.
> severity 983203 grave
"completely broken" appears to be a gross overstatement. The
firewalld integration might be broken - and I agree it should be
fixed - but sshguard supports other firewall tools as well.
Chris
* Lyndon Brown <jnq...@gmail.com> [210308 22:09]:
> # set severity to grave since it appears that the package is completely
> # broken currently.
> severity 983203 grave
"completely broken" appears to be a gross overstatement. The
firewalld integration might be broken - and I agree it should be
fixed - but sshguard supports other firewall tools as well.
Chris
Lyndon Brown
Apr 3, 2021, 4:30:03 PM4/3/21
to
time.
0 new messages