[opensuse] firewall errors?
I'm making some progress on my tvheadend problems. I've managed to retrieve a log file from the FireTV and it has log lines like: 21:38:05.039 T:18446744072835107104 ERROR: AddOnLog: Tvheadend HTSP Client: pvr.hts - unable to connect to 192.168.1.83:9982 Now if I look in the journal on my linux box using YaST, I see apparently relevant entries but it won't let me select them!!!!!! :( STUPID YAST. So off to find a way to look at the journal that WILL let me select text ... OK, I found journalctl, so here's an example: Aug 07 13:23:21 acer-suse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=d8:cb:8a:9c:3a:a5:60:6d:3c:05:af:5b:08:00 SRC=192.168.1.82 DST=192.168.1.83 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7538 DF PROTO=TCP SPT=57413 DPT=9982 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A089E4F7C0000000001030306) Now 192.168.1.82 is my FireTV, 192.168.1.83 is this linux box where tvheadend is running and port 9982 is the HTSP port of the tvheadend server. So it looks like my box is helpfully :( dropping these packets. The question is why? As far as I know I'm not running a firewall, so I go to YaST to check and see a Firewall Configuration box with a popup saying it is trying to connect to a firewalld and then an error (and again YaST won't let me select any of that text - what is that all about?). So as they say, WTF? What is going on here. Why is my machine dropping packets when I haven't told it to and apparently haven't even got a firewall installed? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2018-08-07 at 13:32 +0100, Dave Howorth wrote:
I'm making some progress on my tvheadend problems. I've managed to retrieve a log file from the FireTV and it has log lines like:
21:38:05.039 T:18446744072835107104 ERROR: AddOnLog: Tvheadend HTSP Client: pvr.hts - unable to connect to 192.168.1.83:9982
Now if I look in the journal on my linux box using YaST, I see apparently relevant entries but it won't let me select them!!!!!! :( STUPID YAST.
So off to find a way to look at the journal that WILL let me select text ...
OK, I found journalctl, so here's an example:
Right.
Aug 07 13:23:21 acer-suse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=d8:cb:8a:9c:3a:a5:60:6d:3c:05:af:5b:08:00 SRC=192.168.1.82 DST=192.168.1.83 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7538 DF PROTO=TCP SPT=57413 DPT=9982 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A089E4F7C0000000001030306)
Now 192.168.1.82 is my FireTV, 192.168.1.83 is this linux box where tvheadend is running and port 9982 is the HTSP port of the tvheadend server.
Yes.
So it looks like my box is helpfully :( dropping these packets. The question is why?
Because *you* did not explicitly tell it to not drop them.
As far as I know I'm not running a firewall,
You obviously are.
so I go to YaST to check and see a Firewall Configuration box with a popup saying it is trying to connect to a firewalld and then an error (and again YaST won't let me select any of that text - what is that all about?).
What openSUSE version are you using, and how did you install or upgrade it?
So as they say, WTF? What is going on here. Why is my machine dropping packets when I haven't told it to and apparently haven't even got a firewall installed?
No, you have no "firewalld", you have "SuSEfirewall2". My guess is that you upgraded to Leap 15.0 from some previous version, or perhaps tumbleweed, and you are running the old firewall which has not been migrated by *you* to the new firewall. - -- Cheers, Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAltplGMACgkQtTMYHG2NR9WIAgCfUR84xEhJ5rS21NeMmDxnyCRP HQIAnAwYPyRKmrXDGZ4ut3RawdzH3roi =kOZA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 7 Aug 2018 14:45:23 +0200 (CEST) "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday, 2018-08-07 at 13:32 +0100, Dave Howorth wrote:
I'm making some progress on my tvheadend problems. I've managed to retrieve a log file from the FireTV and it has log lines like:
21:38:05.039 T:18446744072835107104 ERROR: AddOnLog: Tvheadend HTSP Client: pvr.hts - unable to connect to 192.168.1.83:9982
Now if I look in the journal on my linux box using YaST, I see apparently relevant entries but it won't let me select them!!!!!! :( STUPID YAST.
So off to find a way to look at the journal that WILL let me select text ...
OK, I found journalctl, so here's an example:
Right.
Aug 07 13:23:21 acer-suse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=d8:cb:8a:9c:3a:a5:60:6d:3c:05:af:5b:08:00 SRC=192.168.1.82 DST=192.168.1.83 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7538 DF PROTO=TCP SPT=57413 DPT=9982 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A089E4F7C0000000001030306)
Now 192.168.1.82 is my FireTV, 192.168.1.83 is this linux box where tvheadend is running and port 9982 is the HTSP port of the tvheadend server.
Yes.
So it looks like my box is helpfully :( dropping these packets. The question is why?
Because *you* did not explicitly tell it to not drop them.
As far as I know I'm not running a firewall,
You obviously are.
so I go to YaST to check and see a Firewall Configuration box with a popup saying it is trying to connect to a firewalld and then an error (and again YaST won't let me select any of that text - what is that all about?).
What openSUSE version are you using, and how did you install or upgrade it?
So as they say, WTF? What is going on here. Why is my machine dropping packets when I haven't told it to and apparently haven't even got a firewall installed?
No, you have no "firewalld", you have "SuSEfirewall2".
My guess is that you upgraded to Leap 15.0 from some previous version, or perhaps tumbleweed, and you are running the old firewall which has not been migrated by *you* to the new firewall.
Sorry, I'm on Leap 15.0 and it was upgraded by zypper from Leap 42.3 Looking at YaST software listings, apparently I have both SuSEfirewall2 and firewalld installed, along with firewall-config, firewall-macros, firewalld-lang, python3-firewall, xfwp & yast2-firewall. Nothing told me to migrate a firewall. I don't want a firewall. Is it safe to just remove all these packages? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-07 07:11 AM, Dave Howorth wrote:
<snip> Nothing told me to migrate a firewall. I don't want a firewall. Is it safe to just remove all these packages?
Just go into YaST/Services Manager and disable/stop them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-07 15:11, Dave Howorth wrote:
On Tue, 7 Aug 2018 14:45:23 +0200 (CEST) "Carlos E. R." <> wrote:
My guess is that you upgraded to Leap 15.0 from some previous version, or perhaps tumbleweed, and you are running the old firewall which has not been migrated by *you* to the new firewall.
Sorry, I'm on Leap 15.0 and it was upgraded by zypper from Leap 42.3
Looking at YaST software listings, apparently I have both SuSEfirewall2 and firewalld installed, along with firewall-config, firewall-macros, firewalld-lang, python3-firewall, xfwp & yast2-firewall.
Nothing told me to migrate a firewall. I don't want a firewall. Is it safe to just remove all these packages?
Well, it is up to you to decide to have a firewall or not. I always have one on every machine I control. If you really do not want a firewall, just: systemctl status firewalld.service systemctl stop firewalld.service systemctl disable firewalld.service systemctl status SuSEfirewall2.service systemctl stop SuSEfirewall2.service systemctl disable SuSEfirewall2.service and then remove SuSEfirewall2 packages. You get both because you may want to migrate your settings from the previous firewall in 42.3 to the new one in 15.0. There is a tool that automates that migration, I forgot the name and it is not documented in the release notes. Ah. Google finds it: "susefirewall2-to-firewalld" <https://en.opensuse.org/Firewalld> If you are sure you do not want to migrate settings, then just delete SuSEfirewall2 packages, then enable and start firewalld.service, then open the needed ports. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On Tue, 7 Aug 2018 18:56:53 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2018-08-07 15:11, Dave Howorth wrote:
On Tue, 7 Aug 2018 14:45:23 +0200 (CEST) "Carlos E. R." <> wrote:
My guess is that you upgraded to Leap 15.0 from some previous version, or perhaps tumbleweed, and you are running the old firewall which has not been migrated by *you* to the new firewall.
Sorry, I'm on Leap 15.0 and it was upgraded by zypper from Leap 42.3
Looking at YaST software listings, apparently I have both SuSEfirewall2 and firewalld installed, along with firewall-config, firewall-macros, firewalld-lang, python3-firewall, xfwp & yast2-firewall.
Nothing told me to migrate a firewall. I don't want a firewall. Is it safe to just remove all these packages?
Well, it is up to you to decide to have a firewall or not. I always have one on every machine I control.
Thanks Carlos, and thanks to Darryl too. I stopped the services (YaST balked and I had to do it twice) and now I can access TV remotely as I wished. I know the arguments for having a firewall, but I've been caught too often by situations like I've just had that have wasted days of my time.
If you really do not want a firewall, just:
systemctl status firewalld.service systemctl stop firewalld.service systemctl disable firewalld.service
systemctl status SuSEfirewall2.service systemctl stop SuSEfirewall2.service systemctl disable SuSEfirewall2.service
and then remove SuSEfirewall2 packages.
You get both because you may want to migrate your settings from the previous firewall in 42.3 to the new one in 15.0. There is a tool that automates that migration, I forgot the name and it is not documented in the release notes.
Ah. Google finds it: "susefirewall2-to-firewalld"
I read the README as they suggested but am now confused. It says it is a simple script but it talks about 'start/stop/restart firewalld and SuSEfirewall2 services'. That doesn't sound simple to me. Does that mean even if I have both firewalls shut down, it is going to start them? I'd have thought a simple script would migrate a configuration by editing some configuration scripts? I'd be happy to do that, against the event that I might find some reason to use firewalld in the future. OTOH, if I just start firewalld as a new installation, I would hope there's a graphical first-time-run program to guide me through setting it up? In which case, there wouldn't be much point in preserving a configuration I already know has some problem.
If you are sure you do not want to migrate settings, then just delete SuSEfirewall2 packages, then enable and start firewalld.service, then open the needed ports.
But if I don't want a firewall, why not just delete it? PS I opened a bug about text selection from YaST https://bugzilla.opensuse.org/show_bug.cgi?id=1104069 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
Ah. Google finds it: "susefirewall2-to-firewalld"
I read the README as they suggested but am now confused. It says it is a simple script but it talks about 'start/stop/restart firewalld and SuSEfirewall2 services'. That doesn't sound simple to me.
Hi Dave it really is very simple. A firewall is merely a set of rules of what to allow and what not to allow. stop firewall = "delete rules", start firewall = "set rules".
I'd have thought a simple script would migrate a configuration by editing some configuration scripts? I'd be happy to do that, against the event that I might find some reason to use firewalld in the future.
When you install firewalld (at some point in the future), it'll no doubt come a useful set of default rules. There is no need to do anything now.
OTOH, if I just start firewalld as a new installation, I would hope there's a graphical first-time-run program to guide me through setting it up? In which case, there wouldn't be much point in preserving a configuration I already know has some problem.
Exactly.
If you are sure you do not want to migrate settings, then just delete SuSEfirewall2 packages, then enable and start firewalld.service, then open the needed ports.
But if I don't want a firewall, why not just delete it?
Yup. If it is running, maybe stop it. -- Per Jessen, Zürich (20.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-07 21:33, Dave Howorth wrote:
On Tue, 7 Aug 2018 18:56:53 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2018-08-07 15:11, Dave Howorth wrote:
On Tue, 7 Aug 2018 14:45:23 +0200 (CEST) "Carlos E. R." <> wrote:
My guess is that you upgraded to Leap 15.0 from some previous version, or perhaps tumbleweed, and you are running the old firewall which has not been migrated by *you* to the new firewall.
Sorry, I'm on Leap 15.0 and it was upgraded by zypper from Leap 42.3
Looking at YaST software listings, apparently I have both SuSEfirewall2 and firewalld installed, along with firewall-config, firewall-macros, firewalld-lang, python3-firewall, xfwp & yast2-firewall.
Nothing told me to migrate a firewall. I don't want a firewall. Is it safe to just remove all these packages?
Well, it is up to you to decide to have a firewall or not. I always have one on every machine I control.
Thanks Carlos, and thanks to Darryl too. I stopped the services (YaST balked and I had to do it twice) and now I can access TV remotely as I wished.
I gave you the exact commands to do it (stop service) without YaST.
I know the arguments for having a firewall, but I've been caught too often by situations like I've just had that have wasted days of my time.
If you really do not want a firewall, just:
systemctl status firewalld.service systemctl stop firewalld.service systemctl disable firewalld.service
systemctl status SuSEfirewall2.service systemctl stop SuSEfirewall2.service systemctl disable SuSEfirewall2.service
and then remove SuSEfirewall2 packages.
You get both because you may want to migrate your settings from the previous firewall in 42.3 to the new one in 15.0. There is a tool that automates that migration, I forgot the name and it is not documented in the release notes.
Ah. Google finds it: "susefirewall2-to-firewalld"
I read the README as they suggested but am now confused. It says it is a simple script but it talks about 'start/stop/restart firewalld and SuSEfirewall2 services'. That doesn't sound simple to me. Does that mean even if I have both firewalls shut down, it is going to start them? I'd have thought a simple script would migrate a configuration by editing some configuration scripts? I'd be happy to do that, against the event that I might find some reason to use firewalld in the future.
The point is, IF you want to migrate from the old settings to the new, then you need both while you do the migration, then delete the old. IF you do not care about the old, then just delete the old. Finally, after those two decisions you do not want any firewall, then you _stop_ and then _disable_ the new, but not remove in case there are dependencies.
OTOH, if I just start firewalld as a new installation, I would hope there's a graphical first-time-run program to guide me through setting it up?
Yes. But it does not run automatically, you have to call it. I think it is is in YaST although it is not a YaST module. I'm not sure it is a first-time-run program, either.
In which case, there wouldn't be much point in preserving a configuration I already know has some problem.
If you know it has problems, don't migrate it.
If you are sure you do not want to migrate settings, then just delete SuSEfirewall2 packages, then enable and start firewalld.service, then open the needed ports.
But if I don't want a firewall, why not just delete it?
Because it might be needed by dependencies.
PS I opened a bug about text selection from YaST https://bugzilla.opensuse.org/show_bug.cgi?id=1104069
Ok :-) -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
* Dave Howorth <dave@howorth.org.uk> [08-07-18 08:33]:
I'm making some progress on my tvheadend problems. I've managed to retrieve a log file from the FireTV and it has log lines like:
21:38:05.039 T:18446744072835107104 ERROR: AddOnLog: Tvheadend HTSP Client: pvr.hts - unable to connect to 192.168.1.83:9982
Now if I look in the journal on my linux box using YaST, I see apparently relevant entries but it won't let me select them!!!!!! :( STUPID YAST.
you have a way with words, maybe better and not dissing the devs: STUPID <USER>
So off to find a way to look at the journal that WILL let me select text ...
OK, I found journalctl, so here's an example:
Aug 07 13:23:21 acer-suse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=d8:cb:8a:9c:3a:a5:60:6d:3c:05:af:5b:08:00 SRC=192.168.1.82 DST=192.168.1.83 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7538 DF PROTO=TCP SPT=57413 DPT=9982 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A089E4F7C0000000001030306)
from above "SFW2-INext-DROP-DEFLT", you need to open the port, "DPT=9982" for incoming traffic.
Now 192.168.1.82 is my FireTV, 192.168.1.83 is this linux box where tvheadend is running and port 9982 is the HTSP port of the tvheadend server.
So it looks like my box is helpfully :( dropping these packets. The question is why?
the port is colsed, SFW2-INext-DROP-DEFLT
As far as I know I'm not running a firewall, so I go to YaST to check and see a Firewall Configuration box with a popup saying it is trying to connect to a firewalld and then an error (and again YaST won't let me select any of that text - what is that all about?).
SFW2 is SuSEfirewall2
So as they say, WTF? What is going on here. Why is my machine dropping packets when I haven't told it to and apparently haven't even got a firewall installed?
apparently you do an don't know it. systemctl status SuSEfirewall2 -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Darryl Gregorash -
Dave Howorth -
Patrick Shanahan -
Per Jessen