[Pkg-utopia-maintainers] Bug#948681: Bug#948681: firewalld: Nukes the existing network system without warning
Michael Biebl
biebl at debian.org
Sat Jan 11 22:03:29 GMT 2020
Control: tags -1 moreinfo unreproducible
Am 11.01.20 um 21:42 schrieb Brad Rigby:
> Source: firewalld
> Severity: normal
>
> Dear Maintainer,
>
> The debian wiki notes that debian is moving from iptables to nftables, and the nftables page suggests installing this package. So I did. Unfortunately, I did so via an ssh connection, as the computer in question is a headless router. As soon as aptitude quit I was booted from the system. I therefore needed to find a keyboard and monitor, and cables, to hook up to this somewhat antiquated system in order to fix the problem.
>
> Please give a warning somewhere that before installing, a person should have physical access to the machine. Even better would be a debconf wrapper to allow configuration before the default completely nukes everything.
It doesn't nuke everything.
Installing firewalld will install a firewall with a default policy.
The default policy is to allow SSH for the public zone which is what you
should get after installation.
Fwiw, installing firewalld (which version are you using btw) in buster
via SSH works fine for me without interruptions:
> root at debian:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
> INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
> INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
> DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
> FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
> FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
> FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
> FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
> DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain INPUT_direct (1 references)
> target prot opt source destination
>
> Chain INPUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain INPUT_ZONES (1 references)
> target prot opt source destination
> IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
>
> Chain FORWARD_direct (1 references)
> target prot opt source destination
>
> Chain FORWARD_IN_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_IN_ZONES (1 references)
> target prot opt source destination
> FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
>
> Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_OUT_ZONES (1 references)
> target prot opt source destination
> FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
>
> Chain OUTPUT_direct (1 references)
> target prot opt source destination
>
> Chain IN_public (1 references)
> target prot opt source destination
> IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
> IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
> IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>
> Chain IN_public_log (1 references)
> target prot opt source destination
>
> Chain IN_public_deny (1 references)
> target prot opt source destination
>
> Chain IN_public_allow (1 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
>
> Chain FWDI_public (1 references)
> target prot opt source destination
> FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
> FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
> FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FWDI_public_log (1 references)
> target prot opt source destination
>
> Chain FWDI_public_deny (1 references)
> target prot opt source destination
>
> Chain FWDI_public_allow (1 references)
> target prot opt source destination
>
> Chain FWDO_public (1 references)
> target prot opt source destination
> FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
> FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
> FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FWDO_public_log (1 references)
> target prot opt source destination
>
> Chain FWDO_public_deny (1 references)
> target prot opt source destination
>
> Chain FWDO_public_allow (1 references)
> target prot opt source destination
Do you by any chance run SSH on a port != 22?
Can you paste the output of iptables -L -n
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20200111/42409e28/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list