* Marc Chamberlin <marc@marcchamberlin.com> [01-16-19 23:36]:
I thought I would throw this out for discussion based on my recent experience with this particular package. I installed this in my new installation of OpenSuSE15.0. I thought initially this package SuSEfirewall2-fail2ban was a good idea for integration between these two applications. But based on my recent experience with trying to install it I got to say either this package needs to be tossed or fixed, as it stands it seriously breaks SuSEfirewall2 and it is not an easy thing to debug. Some of the problems I had, once it was installed were -
1. It forces the startup of the fail2ban service each time SuSEfirewall service is started, not something you might want sometimes, and not easy to figure out how to discover and stop this relationship. why would you not want the service running????? When I am testing and trying to get things working. Turning on/off one or both services allowed me to do A/B comparisons and relax constraints. I was getting confusing results when I turned SuSEfirewall2 on and was
Hi Patrick and thanks for responding. I will intersperse my answers with yours... On 01/16/2019 09:07 PM, Patrick Shanahan wrote: thinking I had turned off fail2ban.
2. It has/causes dependency errors in the systemd launcher that breaks the ability of the SuSEfirewall service from starting properly. (this problem is widely talked about in other distros as well with their versions of firewalls, bug reports have been submitted, and no fix is yet available) and you are still running SuSEfirewall2 on Leap 15? change to firewalld, SuSEfirewall2 is no longer supported.
I wasn't aware that SuSEfirewall2 has been deprecated and that the OpenSuSE distro is switching to firewalld. I will look into using it but regret all the work I have put into SuSEfirewall2, over the years, getting it configured the way I want for all the services I am running... Oh well, guess that is called progress...
3. It caused/forced my networks internal NIC card to be relabeled as an external facing NIC, which then caused me to have 2 external facing NIC's and that broke all sorts of other services I had running on my server. (which led me on many wild goose chases trying to track down errors that other services such as Apache2, Tomcat, Apache James and even Named were reporting.) fail2ban did not but you may have changed something to do that.
Um I am not saying fail2ban itself is at fault, but the additional stuff that controls the sequence and dependencies for systemd, in starting both the fail2ban and SuSEfirewall2 services, that was added by the SuSEfirewall2-fail2ban optional package. When I figured out I was having troubles with the stuff that the package SuSEfirewall2-fail2ban had installed, I simply uninstalled it and SuSEfirewall began to work as expected (along with all my other services). I saw a warning message that was appearing when I was starting up SuSEfirewall2, about the reassignment of my int NIC card reclassifying it as an ext NIC which got me suspicious that something was broken with SuSEfirewall2. That and the warning about conflicts in systemd dependencies from fail2ban (also seen when SuSEfirewall2 was started) lead me to discover that it was this particular package that was causing problems. So I simply uninstalled it, and SuSEfirewall was once again a happy camper, along with all my other services that I was struggling to get working.
Given all the headaches this package caused me, my recommendation is to get rid of it, it is not really necessary AFAIK and my system seems to be running fine without it. Want to have some fun? Try it yourself, install the fail2ban service and this package also. Then restart the SuSEfirewall2 service and watch it belly ache. If you have two NICs like I do, one ext and one int then you will also see what happens with the int NIC. Yarrg! if you are not running a server, don't install fail2ban.
But I am running a server! ;-) With lots of services as I mentioned, including Apache2, Tomcat, Apache-James, Bind, DHCPD, VSFTPD, SSHD, VNC, VPN, PortKnock etc. All of which are/were dependent on SuSEfirewall2 defining network interfaces and ports correctly. And when the interface definitions, as I defined them in /etc/sysconfig/SuSEfirewall2, got overruled somehow by the installation of the SuSEfirewall2-fail2ban package, things got really confusing. And I had to spend a lot of time trying to understand why many of these services were failing... One thing I have learned through the school of hard knocks is never trust error messages! Most of them are either balderdash, lazy guesswork on the part of the developers, or most commonly the results from poorly designed/implemented error handlers in the software. Ya gots to wade through lots of red herrings before finding the kernel of truth sometimes ;-) and this problem was particularly nasty to resolve, with lots of misleading error messages to grok. Anywise, I will follow your recommendation and take a look at firewalld, but that still begs the question, why include this particular package in the distro anymore. IMHO it badly breaks things... Marc... -- Linux Counter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org