Hi Patrick and thanks for responding. I will intersperse my answers
On 01/16/2019 09:07 PM, Patrick Shanahan wrote:
* Marc Chamberlin <marc(a)marcchamberlin.com>
I thought I would throw this out for discussion
based on my recent
experience with this particular package. I installed this in my new
installation of OpenSuSE15.0. I thought initially this package
SuSEfirewall2-fail2ban was a good idea for integration between these two
applications. But based on my recent experience with trying to install
it I got to say either this package needs to be tossed or fixed, as it
stands it seriously breaks SuSEfirewall2 and it is not an easy thing to
debug. Some of the problems I had, once it was installed were -
1. It forces the startup of the fail2ban service each time SuSEfirewall
service is started, not something you might want sometimes, and not easy
to figure out how to discover and stop this relationship.
why would you not want
the service running?????
When I am testing and trying to get things working. Turning
or both services allowed me to do A/B comparisons and relax constraints.
I was getting confusing results when I turned SuSEfirewall2 on and was
thinking I had turned off fail2ban.
2. It has/causes dependency errors in the systemd
launcher that breaks
the ability of the SuSEfirewall service from starting properly. (this
problem is widely talked about in other distros as well with their
versions of firewalls, bug reports have been submitted, and no fix is
and you are still running SuSEfirewall2 on Leap 15? change to
SuSEfirewall2 is no longer supported.
I wasn't aware that SuSEfirewall2 has
been deprecated and that the
OpenSuSE distro is switching to firewalld. I will look into using it but
regret all the work I have put into SuSEfirewall2, over the years,
getting it configured the way I want for all the services I am
running... Oh well, guess that is called progress...
3. It caused/forced my networks internal NIC card
to be relabeled as an
external facing NIC, which then caused me to have 2 external facing
NIC's and that broke all sorts of other services I had running on my
server. (which led me on many wild goose chases trying to track down
errors that other services such as Apache2, Tomcat, Apache James and
even Named were reporting.)
fail2ban did not but you may have changed something to
Um I am not saying fail2ban itself is at fault, but the additional stuff
that controls the sequence and dependencies for systemd, in starting
both the fail2ban and SuSEfirewall2 services, that was added by the
SuSEfirewall2-fail2ban optional package. When I figured out I was having
troubles with the stuff that the package SuSEfirewall2-fail2ban had
installed, I simply uninstalled it and SuSEfirewall began to work as
expected (along with all my other services). I saw a warning message
that was appearing when I was starting up SuSEfirewall2, about the
reassignment of my int NIC card reclassifying it as an ext NIC which got
me suspicious that something was broken with SuSEfirewall2. That and the
warning about conflicts in systemd dependencies from fail2ban (also seen
when SuSEfirewall2 was started) lead me to discover that it was this
particular package that was causing problems. So I simply uninstalled
it, and SuSEfirewall was once again a happy camper, along with all my
other services that I was struggling to get working.
Given all the headaches this package caused me,
my recommendation is to
get rid of it, it is not really necessary AFAIK and my system seems to
be running fine without it. Want to have some fun? Try it yourself,
install the fail2ban service and this package also. Then restart the
SuSEfirewall2 service and watch it belly ache. If you have two NICs like
I do, one ext and one int then you will also see what happens with the
int NIC. Yarrg!
if you are not running a server, don't install fail2ban.
But I am running a server! ;-) With lots of services as I mentioned,
including Apache2, Tomcat, Apache-James, Bind, DHCPD, VSFTPD, SSHD, VNC,
VPN, PortKnock etc. All of which are/were dependent on SuSEfirewall2
defining network interfaces and ports correctly. And when the interface
definitions, as I defined them in /etc/sysconfig/SuSEfirewall2, got
overruled somehow by the installation of the SuSEfirewall2-fail2ban
package, things got really confusing. And I had to spend a lot of time
trying to understand why many of these services were failing...
One thing I have learned through the school of hard knocks is never
trust error messages! Most of them are either balderdash, lazy guesswork
on the part of the developers, or most commonly the results from poorly
designed/implemented error handlers in the software. Ya gots to wade
through lots of red herrings before finding the kernel of truth
sometimes ;-) and this problem was particularly nasty to resolve, with
lots of misleading error messages to grok. Anywise, I will follow your
recommendation and take a look at firewalld, but that still begs the
question, why include this particular package in the distro anymore.
IMHO it badly breaks things...
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse+owner(a)opensuse.org