Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian bullseye in LXD contaienr: firewalld does not work

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
phreichmuth
Posts: 2
Joined: 2016-08-02 11:54

Debian bullseye in LXD contaienr: firewalld does not work

#1 Post by phreichmuth »

Hi all

I am trying to set up debian 11 bullseye in an LXD-container on my Qnap NAS. Since this is a "naked" debian installation in the container I assume this is a debian issue, not related to Qnap and its container station.

I cannot enable any firewall correctly in this debian contianer, nor ufw neither firewalld. I installed one after the other with

Code: Select all

apt install ufw
and

Code: Select all

apt install firewalld
respectivelly and uninstalled each other again to avoid inference of both firewalls.

With firewalld "systemctl status firewalld" gives me following feedback:

Code: Select all

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor pres
et: enabled)
    Drop-In: /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Sat 2022-01-01 16:21:25 UTC; 2min
 15s ago
       Docs: man:firewalld(1)
   Main PID: 51 (firewalld)
        CPU: 743ms
     CGroup: /system.slice/firewalld.service
             └─51 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jan 01 16:21:24 debian systemd[1]: Starting firewalld - dynamic firewall daemon.
..
Jan 01 16:21:25 debian systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 01 16:21:25 debian firewalld[51]: ERROR: 'python-nft
ables' failed: 
                                      JSON blob:
                                      {"nftables": [{"metainfo": {"json_
schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}
}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": 
{"family": "ip6", "name": "firewalld"}}}]}
Jan 01 16:21:26 debian firewalld[51]: ERROR: COMMAND_FAI
LED: 'python-nftables' failed: 
                                      JSON blob:
                                      {"nftables": [{"metainfo": {"json_
schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}
}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": 
{"family": "ip6", "name": "firewalld"}}}]}
Jan 01 16:23:23 debian systemd[1]: Started firewalld - dynamic firewall daemon.

with ufw systemctl activates the firewall without any negative feedback, but the command "ufw enable" leads to follwing message:

Code: Select all

ERROR: problem running ufw-init
iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

iptables-restore v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

iptables-restore v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory

Error occurred at line: 25
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (nf_tables): unknown option "--dport"
Error occurred at line: 19
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

iptables-restore v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Error occurred at line: 8
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.7 (nf_tables): Could not fetch rule set generation id: Invalid argument

sysctl: permission denied on key "net.ipv4.conf.all.accept_redirects"
sysctl: permission denied on key "net.ipv4.conf.default.accept_redirects"
sysctl: permission denied on key "net.ipv6.conf.all.accept_redirects"
sysctl: permission denied on key "net.ipv6.conf.default.accept_redirects"
sysctl: permission denied on key "net.ipv4.icmp_echo_ignore_broadcasts"
sysctl: permission denied on key "net.ipv4.icmp_ignore_bogus_error_responses"
sysctl: permission denied on key "net.ipv4.icmp_echo_ignore_all"
sysctl: permission denied on key "net.ipv4.conf.all.log_martians"
sysctl: permission denied on key "net.ipv4.conf.default.log_martians"

Problem loading ipv6 (skipping)
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/user.rules'
Does anyone know in what direction to look for a solution?

Thanks
Philipp

Post Reply