On 2023-04-24 06:04, Andrei Borzenkov wrote:
On 23.04.2023 23:41, Carlos E. R. wrote:
Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ #
Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected.
You need to reload firewalld after changing permanent configuration.
Ah.
And I probably missed family=ipv6
I did that using the GUI "firewall-config" (I found the place) and the app crashed with a series of pop-up messages, one a python traceback. And firewalld daemon died. (in Leap 15.5 Beta)
Beta:~ # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:16:19 CEST; 3min 1s ago Docs: man:firewalld(1) Process: 1398 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 1398 (code=dumped, signal=ABRT)
Apr 23 13:30:07 Beta systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 23 13:30:08 Beta systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:16:19 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:16:19 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:~ # systemctl restart firewalld.service Beta:~ # systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-04-24 12:19:36 CEST; 2s ago Docs: man:firewalld(1) Main PID: 5848 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service └─ 5848 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Apr 24 12:19:36 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:19:36 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Beta:~ #
I tried to do it again, crashed again. First popup says, failed to connect to firewalld. Ie, the daemon dies. It core-dumps. But systemd fails to collect coredumps, and I don't know how to enable that.
2023-04-24T12:20:58.107669+02:00 Beta systemd[1]: Started Process Core Dump (PID 5934/UID 0). 2023-04-24T12:20:58.327771+02:00 Beta systemd-coredump[5935]: Process 5848 (firewalld) of user 0 dumped core.#012#012Found module linux-vdso.so.1 with build-id: aeed43cac86ff3306758cc568ea67268c684a13a#012Found module libnss_files.so.2 with build-id: 7e5a4e95d0be096ac88c8dc79ed61280fd2aee3f#012Found module libgmp.so.10 with build-id: 9e11b2a675e3fd8af6d9ae9328dc8f105f15292f#012Found module libjansson.so.4 with build-id: 2c01c1afbecc51ebf7ee7e0c211fea689e21b164#012Found module libnftnl.so.11 with build-id: e71ecfff2a02247ff9f304df77a72c47aafa332e#012Found module libmnl.so.0 with build-id: ab081ad4d1866cc87da0f0aff815bcd4658a018f#012Found module libnftables.so.1 with build-id: 7f222c20dbd68b45556cfa2571d9de6fb3468b77#012Found module libssl.so.1.1 with build-id: 48aaf0038ad298ff200e404ab8536e17d2cd438d#012Found module _ssl.cpython-36m-x86_64-linux-gnu.so with build-id: f04399ca29c9aaccd4d0665aacd8d522dcdcbd1c#012Found module _datetime.cpython-36m-x86_64-linux-gnu.so with build-id: 632914ae39e61e2925860f3dfc24bfb611adc402#012Found module binascii.cpython-36m-x86_64-linux-gnu.so with build-id: ca6b2737ca466c326a166cdf8f4fdf91c7fe16e6#012Found module _ctypes.cpython-36m-x86_64-linux-gnu.so with build-id: ad20d1aa4f9e9d0a73b4720babc4f79b0fa06584#012Found module _json.cpython-36m-x86_64-linux-gnu.so with build-id: f93e3bf55d0b96c5c6e281538f24d06d9fa194fd#012Found module _posixsubprocess.cpython-36m-x86_64-linux-gnu.so with build-id: 6a5ac1ec1d5753ba667ee451d7c9d428f60be546#012Found module _dbus_glib_bindings.so with build-id: b769fa2252c6523664436cdf0b2af0af273874b7#012Found module _cairo.cpython-36m-x86_64-linux-gnu.so with build-id: 49f8784e17578a84d4b0a2df7530dfd712d2acc6#012Found module libGLX.so.0 with build-id: 4cc3a878d412de67757aff9308158dc98951e75b#012Found module libXau.so.6 with build-id: 7f7563c2e3af15370c200ce7ac1707fb085eb610#012Found module libGLdispatch.so.0 with build-id: d4dbc4caeab1b82a4468a5b61ca44cfd1a1b9b21#012Found module libuuid.so.1 with build-id: dc2c66e0451ba8ac9a8c7ec5630b4f44c152a3f2#012Found module libGL.so.1 with build-id: ef4ad99ca8fae225e647c0f007d81dc9105a8cac#012Found module libXext.so.6 with build-id: cf6a629d03d9cfad61f259ff380a6b4bd6f7cb51#012Found module libX11.so.6 with build-id: ff6a9a2323c87f03b36077e5824a6682bc626377#012Found module libXrender.so.1 with build-id: fb4d733856da6d89b203ebc957086b015d1b9543#012Found module libxcb-render.so.0 with build-id: 2453a26d05b03239e8b3b2e766141abf9baf3083#012Found module libxcb.so.1 with build-id: 20583630b867511565bcc4a09fe53cd8126628c4#012Found module libxcb-shm.so.0 with build-id: b36157ad90e44a1544bcef14d429e0bd7ba8f0bc#012Found module libpng16.so.16 with build-id: 5f75035c3b165fede9a1e071c20259bf6d8d9389#012Found module libEGL.so.1 with build-id: efb12e0ccaa2e2dfc3eb86008cf61ec944a398a9#012Found module libfreetype.so.6 with build-id: 654bb6f7c4ff183332d883354e4a6937bae8903f#012Found module libfontconfig.so.1 with build-id: 764bace0bb80d723090d40f6059cbfcdd3f89c2d#012Found module libpixman-1.so.0 with build-id: d6f203b2433f6392d37a2c834789e76b1cbdce9f#012Found module libcairo-gobject.so.2 with build-id: 2c7bf0169850d1cadf6116ade430bc3c4ca06068#012Found module libcairo.so.2 with build-id: 36a4c2c0ae554e7848f5da995cebba96c6824375#012Found module _gi_cairo.cpython-36m-x86_64-linux-gnu.so with build-id: 395f8e5f054ef1745c7fa0902a71981166d5d8db#012Found module libblkid.so.1 with build-id: f1e9696e51c35fa4e15fc71b3663799c6e8b18ba#012Found module libresolv.so.2 with build-id: e42810d28240c9a071d143ac34efc1db577e5bfa#012Found module libselinux.so.1 with build-id: 58d24c02a015417be0c526fa565cfb868164ab7a#012Found module libmount.so.1 with build-id: 67c1cee55f70dd74fbc7664cb4820d4c6d22183b#012Found module libgio-2.0.so.0 with build-id: 6f1ac0a3d5327606e35256a6b0a0169d730b0936#012Found module libgmodule-2.0.so.0 with build-id: 8f9d1e080e3f4faf62e25dfaca499fdc2fac1afa#012Found module libpcre.so.1 with build-id: bd429ac11a685687f7f0c381af53a33aec2d3f41#012Found module libffi.so.7 with build-id: 62ece4f953ed6d967d46a60ce7979803ce3f51c3#012Found module libgirepository-1.0.so.1 with build-id: 8c1d3ca4e7086eae08d8bf75000a0cec5c78272c#012Found module libgobject-2.0.so.0 with build-id: 4be74fa589c8a5ba64f88f2a609985b600cec4ad#012Found module libglib-2.0.so.0 with build-id: 1cc9eddc41e62a45d74d4ac2c149f824d8cbea68#012Found module _gi.cpython-36m-x86_64-linux-gnu.so with build-id: 735ff4293649c344586385496ba75983c5fee9af#012Found module fcntl.cpython-36m-x86_64-linux-gnu.so with build-id: 0360acf3840b1be1f21964e07dcb6bdb3b5499c4#012Found module syslog.cpython-36m-x86_64-linux-gnu.so with build-id: b081dfb5599f4597ec3ec167dd5b17d604e41c10#012Found module _opcode.cpython-36m-x86_64-linux-gnu.so with build-id: a5109473121ec69bfec7c03ce3f05ba6ebf2969d#012Found module _random.cpython-36m-x86_64-linux-gnu.so with build-id: f0c2f3f21a499e866d0dfa766af6651968d1eb39#012Found module _bisect.cpython-36m-x86_64-linux-gnu.so with build-id: ed07de53bf7699bd351466e72cadd4abf20dd547#012Found module _sha3.cpython-36m-x86_64-linux-gnu.so with build-id: f35f728c2b518241a50bf60ce44db5addba6c012#012Found module _blake2.cpython-36m-x86_64-linux-gnu.so with build-id: e37129c10ec8f1d52f643364119e075b4691d369#012Found module libjitterentropy.so.3 with build-id: 6cd5111426fb5f10ef2d5fb9109ef901dd6a67f5#012Found module libcrypto.so.1.1 with build-id: 497b13206e47cbdae3a1a44040a5e9635fa8ead1#012Found module _hashlib.cpython-36m-x86_64-linux-gnu.so with build-id: dc1d747d2b1c3627f637514bf5cbddcd622ede06#012Found module grp.cpython-36m-x86_64-linux-gnu.so with build-id: e382be6daea2fbedac631b4e37a90b5b18e5fbee#012Found module _lzma.cpython-36m-x86_64-linux-gnu.so with build-id: 38d4a29488be0945520b09bc5ab7de2ce450bb23#012Found module libbz2.so.1 with build-id: ab3bf32de28e526bb13f12afa0084170fa8ea51e#012Found module _bz2.cpython-36m-x86_64-linux-gnu.so with build-id: 425cd57ad5ce728f0bd499113d51950be1f0e082#012Found module libz.so.1 with build-id: f664b54d69e8427feb0c9251bd9f88fbbaf1897e#012Found module zlib.cpython-36m-x86_64-linux-gnu.so with build-id: 0b18a716b0817ed251bced39818e21c71303104e#012Found module select.cpython-36m-x86_64-linux-gnu.so with build-id: 70747260a2c7c1aae73f902ce0ea4bb516c8f2f5#012Found module math.cpython-36m-x86_64-linux-gnu.so with build-id: 56c08d005d728e6c5a993dd5f930b76920016728#012Found module _socket.cpython-36m-x86_64-linux-gnu.so with build-id: 7cab0ecdc6c7e50babb14d0a0cd955d6e940b132#012Found module _struct.cpython-36m-x86_64-linux-gnu.so with build-id: cd812f933a58cc989f9f43e5d3c7c9385818b7bf#012Found module libexpat.so.1 with build-id: 335cb65db76c2fcfe35c0f681636e3f35017f03f#012Found module pyexpat.cpython-36m-x86_64-linux-gnu.so with build-id: 14367af8b4a09c95277ee74e7dc2d2d0ab8d2079#012Found module _heapq.cpython-36m-x86_64-linux-gnu.so with build-id: a90b0b9f7902882780e8d1add96e226a14c86f5a#012Found module libgpg-error.so.0 with build-id: 7703a2c38d4dc0cb40e4b1943f4d3dea9d7b1cae#012Found module libgcrypt.so.20 with build-id: 1c102ce6d868a3aaa87e77fdedb2c46f47e20d8d#012Found module libcap.so.2 with build-id: 99405ab6633a66ccf29924793bf6ae8d8212ac9e#012Found module liblz4.so.1 with build-id: ef9ad25a65c1623b33a365c00c3bc781492e7eaf#012Found module libzstd.so.1 with build-id: d1fb4855c1f72b5941faa9ffac3edff26a2da3bb#012Found module liblzma.so.5 with build-id: 2d656c3bd393d5f9e95fdbbfe4fbbdc19e0cf0ba#012Found module librt.so.1 with build-id: 928a20e94e2b575919ada526ac5d5b5153aa4d3f#012Found module libsystemd.so.0 with build-id: 73c1ab2b97ff31b21bfcfc29a2e0f6f62a759a13#012Found module libdbus-1.so.3 with build-id: 50c3179e033ded09b2464af5f963953a9d1d8c82#012Found module _dbus_bindings.so with build-id: 4f8319971967ee0b72e28511192eb2f00ee4e78d#012Found module ld-linux-x86-64.so.2 with build-id: 306fa1f1f4692920c5a650484a28bc6ccdc99902#012Found module libm.so.6 with build-id: 02848bab8c741aab67ab26460506dc26bb93cc6b#012Found module libutil.so.1 with build-id: bfaa86041cd3eaa393a69741cc10f1c620e53796#012Found module libdl.so.2 with build-id: 3a7f65fd4552d07229d8985f6b5e20cae5016274#012Found module 2023-04-24T12:20:58.331874+02:00 Beta systemd[1]: systemd-coredump@2-5934-0.service: Deactivated successfully. 2023-04-24T12:20:58.348605+02:00 Beta systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT 2023-04-24T12:20:58.348843+02:00 Beta systemd[1]: firewalld.service: Failed with result 'core-dump'.
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Wild guessing: Beta:~ # firewall-cmd --list-rich-rules rule source mac="...:d4" reject Beta:~ # Beta:~ # firewall-cmd --remove-rich-rule=source mac="...:d4" reject usage: see firewall-cmd man page firewall-cmd: error: unrecognized arguments: mac=...:d4 reject Beta:~ # Beta:~ # firewall-cmd --remove-rich-rule='source mac="...:d4" reject' Error: INVALID_RULE: 'source' outside of rule. Use 'rule ... source ...'. Beta:~ # Ok, but the man page only says: [--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-rich-rule='rule' Remove rich language rule 'rule'. This option can be specified multiple times. No examples on how to delete a rule. I assume I have to delete it, then apply the new/changed rule Ok, editing file /etc/firewalld/zones/public.xml and removing the rule.
Beta:/etc/firewalld/zones # firewall-cmd --reload success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones #
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
Beta:/etc/firewalld/zones # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:37:36 CEST; 3min 17s ago Docs: man:firewalld(1) Process: 6046 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 6046 (code=dumped, signal=ABRT)
Apr 24 12:25:42 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:25:42 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:31:12 Beta.valinor firewalld[6046]: ERROR: INVALID_RULE: 'source' outside of rule. Use 'rule ... source ...'. Apr 24 12:36:18 Beta.valinor firewalld[6046]: ERROR: INVALID_RULE: bad attribute 'familty' Apr 24 12:37:36 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:37:36 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:/etc/firewalld/zones #
Can't be done :-/
Beta:/etc/firewalld/zones # systemctl restart firewalld.service Beta:/etc/firewalld/zones # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:42:02 CEST; 1s ago Docs: man:firewalld(1) Process: 6710 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 6710 (code=dumped, signal=ABRT)
Apr 24 12:42:02 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:42:02 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:42:02 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:42:02 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:/etc/firewalld/zones #
I have to edit out the rule, the firewall crashes, core dumps, and can not be started. Oh, and my wifi is inestable after a few days running, the driver crashes. Before that, it becomes unresponsive. How can a firewall crash and leave the machine not protected? -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)