I’m having trouble getting firewalld to load on a current Tumbleweed system. The service status error is below. There’s no output of firewalld or nf_conntrack in dmesg. I don’t know what nf_conntrack is. This is a system that was upgraded from LEAP to Tumbleweed. I’m happy to reset all firewall configs/rules to default if that would help but I can’t figure out how to do that either. Suggestions?**
Your posted log entries end with a SUCCESS.
Does your firewall work?
Is your machine set up as a Server or client, and can you test whether your connections work? conn-track in general supports long running sessions connecting to your service.
Bottom line,
I’m unsure if your error is non-cirtical, whether the module couldn’t be loaded only initially or is still not loaded even later.
Those threads look similar but I got lost while reading them. The only thing I saw that made sense was to try to modprobe nf_conntrack, this is what I get:
a@localhost:~> sudo modprobe nf_conntrack
modprobe: ERROR: could not find module by name='nf_conntrack'
modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
a@localhost:~> sudo dmesg | grep conntrack
2207.008696] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
amb@localhost:~>
I tried searching for that error but it seems a bit common for a lot of different reasons. I don’t understand what a CT-based firewall rule means. I’m just using the yast menu and havent modified any other files.
Is there someway I can just reset the firewall rules to default to try to fix this?
I should add that my system is very basic, it’s just a single interface and the only firewall rules I need are to open tcp 22 and 80 and deny everything else… Thus my confusion why this is broken.
#sudo zypper dup
Loading repository data...
Reading installed packages...
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you contin
ue. See 'man zypper' for more information about this command.
Computing distribution upgrade...
Nothing to do.
#sudo rcfirewalld status
* firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Mon 2019-08-05 00:29:32 UTC; 4min 56s ago
Docs: man:firewalld(1)
Process: 30569 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 30569 (code=exited, status=0/SUCCESS)
Aug 05 00:29:31 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 05 00:29:32 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 05 00:29:32 localhost firewalld[30569]: **ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_connt**>
**modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (s**>
**modprobe: ERROR: Error running install command for nf_conntrack**
**modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted**
Aug 05 00:29:32 localhost firewalld[30569]: **ERROR: Raising SystemExit in run_server**
Aug 05 00:29:32 localhost systemd[1]: firewalld.service: Succeeded.
This is what happens when I try to load conntrack module:
#sudo modprobe nf_conntrack
modprobe: ERROR: could not find module by name='nf_conntrack'
modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
#sudo dmesg | grep conntrack
2207.008696] nf_**conntrack**: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found.
Use the iptables CT target to attach helpers instead.
I can definitly connect to a service running on the box that the firewall should be blocking (port 8080/tomcat) so I know the firewall isn’t working.
Any other ideas? At this point I don’t know what else to do but re-install the OS and rebuild the server from scratch
Seems that since this machine started on OpenSuse Leap, there was a problem with the original kernel and so linnode (the hosting provider I’m using) added their own kernel and used it over the distro supplied kernel. Once I followed the instructions at that link and the distro use its own default kernel things started working.