ssh connection failes (times out)
Hello, maybe I miss something obvious, can you help troubleshoot? On a host (openSUSE Leap 15.4), not running SuSE firewall, enabled sshd and no changes to /etc/ssh/sshd_config and /etc/hosts.[allow|deny] I cannot connect to from other machines in the network: # ssh omega.swabian.net -v OpenSSH_8.4p1, OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.37.1 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug1: Connecting to omega.swabian.net [172.18.3.1] port 22. debug1: connect to address 172.18.3.1 port 22: Connection timed out ssh: connect to host omega.swabian.net port 22: Connection timed out sshd running, not showing anything in /var/log/messages except: # systemctl status sshd.service -n100 ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-07-17 10:40:28 CEST; 8min ago Process: 462 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS) Process: 465 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS (code=exited, status=0/SUCCESS) Main PID: 467 (sshd) Tasks: 1 CGroup: /system.slice/sshd.service └─ 467 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" Jul 17 10:40:27 omega.swabian.net systemd[1]: Starting OpenSSH Daemon... Jul 17 10:40:27 omega.swabian.net sshd-gen-keys-start[462]: Checking for missing server keys in /etc/ssh Jul 17 10:40:28 omega.swabian.net sshd[467]: Server listening on 0.0.0.0 port 22. Jul 17 10:40:28 omega.swabian.net systemd[1]: Started OpenSSH Daemon. # lsof -p 467 [...] sshd 467 root mem REG 0,45 202656 11436741 /lib64/ld-2.31.so sshd 467 root 0r CHR 1,3 0t0 4 /dev/null sshd 467 root 1u unix 0xffff9e0a19f52a80 0t0 1025089 type=STREAM sshd 467 root 2u unix 0xffff9e0a19f52a80 0t0 1025089 type=STREAM sshd 467 root 3u IPv4 1025104 0t0 TCP *:ssh (LISTEN) connecting on the host itself to itself works fine:
ssh omega.swabian.net Password:
no problems with any other host running in the local networks, can connect from/to any host. except this one. what am I missing? Regards and thanks in advance Paul
On Montag 2023-07-17 11:06, Andrei Borzenkov wrote:
On Mon, Jul 17, 2023 at 11:56 AM Paul Neuwirth via openSUSE Users <users@lists.opensuse.org> wrote:
what am I missing?
I would start with comparing routing tables
ip a
working host: 4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether b8:ca:3a:bb:b1:77 brd ff:ff:ff:ff:ff:ff inet 172.18.2.2/16 brd 172.18.255.255 scope global bond0 valid_lft forever preferred_lft forever not working host: 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:17:42:2d:6e:31 brd ff:ff:ff:ff:ff:ff altname enp4s0 inet 172.18.3.1/16 brd 172.18.255.255 scope global dynamic noprefixroute eth1 valid_lft 7334sec preferred_lft 7334sec
ip -4 r working host: default via 172.18.0.1 dev bond0 proto dhcp 172.18.0.0/16 dev bond0 proto kernel scope link src 172.18.2.2
not working host: default via 172.18.0.1 dev eth1 proto dhcp metric 100 172.18.0.0/16 dev eth1 proto kernel scope link src 172.18.3.1 metric 100
ip -6 r
IPv4 network only, so no output
on this host and any other host that does not have this problem.
nothing to see for me. (where does the "noprefixroute" come from?) thank you Paul
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0 12:07:31.105170 IP alpha.swabian.net.39586 > omega.swabian.net.ssh: Flags [S], seq 2839271321, win 29200, options [mss 1460,sackOK,TS val 861540940 ecr 0,nop,wscale 7], length 0 sshd is definitively listening... # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1935/hddtemp tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1003/sshd: /usr/sbi tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2377/master
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
12:07:31.105170 IP alpha.swabian.net.39586 > omega.swabian.net.ssh: Flags [S], seq 2839271321, win 29200, options [mss 1460,sackOK,TS val 861540940 ecr 0,nop,wscale 7], length 0
sshd is definitively listening... # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1935/hddtemp tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1003/sshd: /usr/sbi tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2377/master
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
12:07:31.105170 IP alpha.swabian.net.39586 > omega.swabian.net.ssh: Flags [S], seq 2839271321, win 29200, options [mss 1460,sackOK,TS val 861540940 ecr 0,nop,wscale 7], length 0
sshd is definitively listening... # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1935/hddtemp tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1003/sshd: /usr/sbi tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2377/master
On Mon, Jul 17, 2023 at 1:07 PM Paul Neuwirth via openSUSE Users < users@lists.opensuse.org> wrote:
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl>
wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
12:07:31.105170 IP alpha.swabian.net.39586 > omega.swabian.net.ssh: Flags [S], seq 2839271321, win 29200, options [mss 1460,sackOK,TS val 861540940 ecr 0,nop,wscale 7], length 0
sshd is definitively listening... # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1935/hddtemp tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1003/sshd: /usr/sbi tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2377/master
Sounds silly.. but.. Can you reach that host with ICMP or maybe access a different service?
On Montag 2023-07-17 13:10, Claudio Marcial Peon wrote:
Date: Mon, 17 Jul 2023 13:10:09 From: Claudio Marcial Peon <claudio@datacor.net.ar> To: users@lists.opensuse.org Cc: Andrei Borzenkov <arvidjaar@gmail.com> Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:07 PM Paul Neuwirth via openSUSE Users < users@lists.opensuse.org> wrote:
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl>
wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
12:07:31.105170 IP alpha.swabian.net.39586 > omega.swabian.net.ssh: Flags [S], seq 2839271321, win 29200, options [mss 1460,sackOK,TS val 861540940 ecr 0,nop,wscale 7], length 0
sshd is definitively listening... # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1935/hddtemp tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1003/sshd: /usr/sbi tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2377/master
Sounds silly.. but.. Can you reach that host with ICMP or maybe access a different service?
no. cannot ping the device. tried netcat listen on a port. cannot connect to that either tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 8439/nc
On Mon, Jul 17, 2023 at 2:07 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
What about iptables -L -n -v iptables -L -n -v -t nat nft list ruleset
On Montag 2023-07-17 13:10, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 13:10:45 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 2:07 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 12:44, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 12:44:53 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 1:15 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
On Montag 2023-07-17 11:42, Andrei Borzenkov wrote:
Date: Mon, 17 Jul 2023 11:42:11 From: Andrei Borzenkov <arvidjaar@gmail.com> To: users@lists.opensuse.org Subject: Re: ssh connection failes (times out)
On Mon, Jul 17, 2023 at 12:18 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
nothing to see for me. (where does the "noprefixroute" come from?)
It comes from NetworkManager
Well, I would simply capture packets on this host when ssh connection is attempted. Then you at least know whether any request comes through or not.
seems so, tcpdump shows repeatingly those lines on trying to connect: 12:06:51.525602 IP stb1.swabian.net.43562 > omega.swabian.net.ssh: Flags [S], seq 3512370883, win 29200, options [mss 1460,sackOK,TS val 8907069 ecr 0,nop,wscale 6], length 0
This is an incoming TCP connection request. Do you also see any reply on this interface?
no, nothing. also nothing showing up (dropped packets or so) in dmesg.
What about
iptables -L -n -v iptables -L -n -v -t nat nft list ruleset
I think that's the right direction. iptables -L -n -v shows a lot of rules (the others do not) Chain INPUT (policy DROP 964 packets, 112K bytes) pkts bytes target prot opt in out source destination 141 10002 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 162K 558M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 75122 packets, 8619K bytes) pkts bytes target prot opt in out source destination 141 10002 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain forward_int (0 references) pkts bytes target prot opt in out source destination Chain input_ext (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP " 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ limit: avg 3/min burst 5 ctstate NEW udp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ udp dpt:111 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ limit: avg 3/min burst 5 ctstate NEW tcp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.rpc.portmapper */ tcp dpt:111 Chain input_int (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable and I noticed, that SuSEfirewall2.service was not disabled, but failed at boot. As it was never running, I always assumed it was disabled. now explicitely disabled SuSEfirewall2.service and SuSEfirewall2_init.service # systemctl status SuSEfirewall2.service × SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2023-07-17 12:21:56 CEST; 1h 5min ago Main PID: 3656 (code=exited, status=1/FAILURE) Jul 17 12:21:54 omega.swabian.net SuSEfirewall2[3656]: using default zone 'ext' for interface eth1 Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4024]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4027]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4034]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4037]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4040]: <35>Jul 17 12:21:56 SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Main process exited, code=exited, status=1/FAILURE Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Failed with result 'exit-code'. Jul 17 12:21:56 omega.swabian.net systemd[1]: Failed to start SuSEfirewall2 phase 2. will try again, after software update and a reboot.
On Mon, Jul 17, 2023 at 2:30 PM Paul Neuwirth <mail@paul-neuwirth.nl> wrote:
Chain INPUT (policy DROP 964 packets, 112K bytes) pkts bytes target prot opt in out source destination 141 10002 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 162K 558M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
These rules drop every incoming connection request.
On Montag 2023-07-17 13:30, Paul Neuwirth via openSUSE Users wrote:
Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
and I noticed, that SuSEfirewall2.service was not disabled, but failed at boot. As it was never running, I always assumed it was disabled. now explicitely disabled SuSEfirewall2.service and SuSEfirewall2_init.service
# systemctl status SuSEfirewall2.service × SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2023-07-17 12:21:56 CEST; 1h 5min ago Main PID: 3656 (code=exited, status=1/FAILURE)
Jul 17 12:21:54 omega.swabian.net SuSEfirewall2[3656]: using default zone 'ext' for interface eth1 Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4024]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4027]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4034]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4037]: Could not open socket to kernel: Address family not supported by protocol Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net SuSEfirewall2[4040]: <35>Jul 17 12:21:56 SuSEfirewall2[3656]: failed to setup rpc service rules for portmapper Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Main process exited, code=exited, status=1/FAILURE Jul 17 12:21:56 omega.swabian.net systemd[1]: SuSEfirewall2.service: Failed with result 'exit-code'. Jul 17 12:21:56 omega.swabian.net systemd[1]: Failed to start SuSEfirewall2 phase 2.
will try again, after software update and a reboot.
working fine after disabling services and reboot. iptables looks clean now. but opens the question, why SuSEfirewall2 fails in the first place. a web search for "failed to setup rpc service rules for portmapper" returns zero results. As on this machine, I may want to enable it, it's a laptop, that I might use outside of my network.. hm Thank you all, Regards Paul
participants (3)
-
Andrei Borzenkov -
Claudio Marcial Peon -
Paul Neuwirth