firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

English Network/Internet
1

I’m having trouble getting firewalld to load on a current Tumbleweed system. The service status error is below. There’s no output of firewalld or nf_conntrack in dmesg. I don’t know what nf_conntrack is. This is a system that was upgraded from LEAP to Tumbleweed. I’m happy to reset all firewall configs/rules to default if that would help but I can’t figure out how to do that either. Suggestions?**

localhost:~ #** rcfirewalld status

  • firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
    Active: inactive (dead) since Fri 2019-07-26 12:57:53 UTC; 3s ago
    Docs: man:firewalld(1)
    Process: 2372 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
    Main PID: 2372 (code=exited, status=0/SUCCESS)

Jul 26 12:57:53 localhost systemd[1]: Starting firewalld - dynamic firewall daemon…
Jul 26 12:57:53 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 26 12:57:53 localhost firewalld[2372]: ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_conntrack’
modprobe: ERROR: could not insert ‘nf_conntrack’: Unknown symbol in module, or unknown parameter (see dmesg)
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert ‘nf_conntrack’: Operation not permitted
Jul 26 12:57:53 localhost firewalld[2372]: ERROR: Raising SystemExit in run_server
Jul 26 12:57:53 localhost systemd[1]: firewalld.service: Succeeded.

2

Your posted log entries end with a SUCCESS.
Does your firewall work?
Is your machine set up as a Server or client, and can you test whether your connections work? conn-track in general supports long running sessions connecting to your service.

Bottom line,
I’m unsure if your error is non-cirtical, whether the module couldn’t be loaded only initially or is still not loaded even later.

TSU

3

A quick search shows that similar firewalld regressions have been reported elsewhere, including RH and github…
https://bugzilla.redhat.com/show_bug.cgi?id=1686654
https://github.com/firewalld/firewalld/issues/353

I’m not running TW, so not sure which firewalld version is in use, but seems to be related to the above?

4

Tumbleweed 20190724

> firewall-cmd -V
0.6.3
5

My machine is a server, but im not sure how you mean by “set up”, is there a configuration option for that somewhere?

The firewall is not working. Services that do not have an open port configured are reachable externally.

6

Those threads look similar but I got lost while reading them. The only thing I saw that made sense was to try to modprobe nf_conntrack, this is what I get:


a@localhost:~> sudo modprobe nf_conntrack
modprobe: ERROR: could not find module by name='nf_conntrack'
modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
a@localhost:~> sudo dmesg | grep conntrack
 2207.008696] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
amb@localhost:~>

I tried searching for that error but it seems a bit common for a lot of different reasons. I don’t understand what a CT-based firewall rule means. I’m just using the yast menu and havent modified any other files.

Is there someway I can just reset the firewall rules to default to try to fix this?

7

I should add that my system is very basic, it’s just a single interface and the only firewall rules I need are to open tcp 22 and 80 and deny everything else… Thus my confusion why this is broken.

8

Hi
From your initial output it would seem the system is not up to date… your systemd service output does not match what I see…

Has the system been updated via zypper dup?


rcfirewalld status

● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-08-04 09:40:52 CDT; 34min ago
     Docs: man:firewalld(1)
 Main PID: 12502 (firewalld)
    Tasks: 2 (limit: 4915)
   Memory: 22.8M
   CGroup: /system.slice/firewalld.service
           └─12502 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
9

Yup, zypper dup shows current:


#sudo zypper dup
Loading repository data...
Reading installed packages...
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you contin
ue. See 'man zypper' for more information about this command.
Computing distribution upgrade...

Nothing to do.

And I’m pointed at tumbleweed repos:


#sudo zypper lr -u
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias        | Name         | Enabled | GPG Check | Refresh | URI                                                  
--+--------------+--------------+---------+-----------+---------+-----------------------------------------------------
1 | repo-debug   | repo-debug   | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/debug   
2 | repo-non-oss | repo-non-oss | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/non-oss
3 | repo-oss     | repo-oss     | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/oss     
4 | repo-update  | repo-update  | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/tumbleweed/

And my current rcfirewalld status:


#sudo rcfirewalld status
* firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Mon 2019-08-05 00:29:32 UTC; 4min 56s ago
     Docs: man:firewalld(1)
  Process: 30569 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 30569 (code=exited, status=0/SUCCESS)

Aug 05 00:29:31 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 05 00:29:32 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 05 00:29:32 localhost firewalld[30569]: **ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_connt**>
                                            **modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (s**>
                                            **modprobe: ERROR: Error running install command for nf_conntrack**
                                            **modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted**
Aug 05 00:29:32 localhost firewalld[30569]: **ERROR: Raising SystemExit in run_server**
Aug 05 00:29:32 localhost systemd[1]: firewalld.service: Succeeded.

This is what happens when I try to load conntrack module:


#sudo modprobe nf_conntrack
modprobe: ERROR: could not find module by name='nf_conntrack'
modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
#sudo dmesg | grep conntrack
 2207.008696] nf_**conntrack**: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found.
 Use the iptables CT target to attach helpers instead.

I can definitly connect to a service running on the box that the firewall should be blocking (port 8080/tomcat) so I know the firewall isn’t working.

Any other ideas? At this point I don’t know what else to do but re-install the OS and rebuild the server from scratch :frowning:

10

Hi
Can you post the output from;


cat /etc/os-release
uname -a
/sbin/modinfo nf_conntrack | head -1

If your already root user, no need for sudo? When you switched to root user did you use su - not just su?

11

Output as requested:


user@localhost:~> sudo cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20190730"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20190730"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20190730"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
LOGO="distributor-logo"
user@localhost:~> sudo uname -a
Linux localhost 5.1.11-x86_64-linode127 #1 SMP PREEMPT Mon Jun 17 21:18:26 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
user@localhost:~> sudo /sbin/modinfo nf_conntrack | head -1
modinfo: ERROR: Module alias nf_conntrack not found.
user@localhost:~>

I have root logins disabled hence the sudo’s.

Thanks for helping!

12

Hi
So your running a non-standard kernel which doesn’t provide nf_conntrack


uname -a
Linux grover 5.2.3-1-default #1 SMP Fri Jul 26 08:52:13 UTC 2019 (f5296b5) x86_64 x86_64 x86_64 GNU/Linux

You would need to get the kernel source and cd into the kernel/net/netfilter/ directory, build the module and install that…

13

Hi
See for a possible workaround https://github.com/firewalld/firewalld/issues/430

14

Aha! I had no idea I was running a non-standard kernel! Now I see the ‘linnode’ in the kernel uname that gave me the clue to find this:

https://www.linode.com/docs/platform/how-to-change-your-linodes-kernel/

Seems that since this machine started on OpenSuse Leap, there was a problem with the original kernel and so linnode (the hosting provider I’m using) added their own kernel and used it over the distro supplied kernel. Once I followed the instructions at that link and the distro use its own default kernel things started working.

Thanks for the help!