You are not logged in.
- Topics: Active | Unanswered
#1 2021-06-29 21:22:44
- cmm11
- Member
- Registered: 2018-02-18
- Posts: 51
SSHGuard & firewalld , Could not initialize firewall
i've setup sshguard to use firewalld as it's backend on a fresh VPS, however looking at the output of the service (systemctl status sshguard.service) i see the following line:
sshguard[588]: sshg-fw-firewalld: Could not initialize firewallWhen i do (firewall-cmd --reload) i also get the message
Error: INVALID_IPSET: sshguard4and doing (systemctl status firewalld.service) i get the output:
firewalld[427]: WARNING: ipset not usable, disabling ipset usage in firewall.
firewalld[427]: WARNING: sshguard4: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
firewalld[427]: WARNING: sshguard6: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
firewalld[427]: ERROR: INVALID_IPSET: sshguard4Configs
/etc/sshguard.conf
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
BACKEND="/usr/lib/sshguard/sshg-fw-firewalld"
THRESHOLD=30
BLOCK_TIME=180
DETECTION_TIME=3600Last edited by cmm11 (2021-07-01 12:50:25)
$20 Free Credit Hetzner - https://hetzner.cloud/?ref=fuVilhv403fA
Offline
#2 2021-06-30 20:14:11
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,267
Re: SSHGuard & firewalld , Could not initialize firewall
Try building firewalld 0.9.4 locally that should have ipset emulation under nftables. https://github.com/firewalld/firewalld/releases
Or change the firewall rules to not use ipsets.
Offline
#3 2021-07-01 12:44:09
- cmm11
- Member
- Registered: 2018-02-18
- Posts: 51
Re: SSHGuard & firewalld , Could not initialize firewall
firewalld got updated today in the repos to firewalld 0.9.4-1 which as loqs linked to has a fix: fix(ipset): fix hash:net,net functionality.
Everything is working fine now.
Update - Looks like i spoke too soon:
systemctl status sshguard.service = sshg-fw-firewalld: Could not initialize firewall
firewall-cmd --info-ipset=sshguard4 = Error: INVALID_IPSET: sshguard4
If i remove firewalld and rm /etc/firewalld then install it and start the firewalld service, i see:
systemctl status firewalld.service is showing:
firewalld[1079]: WARNING: ipset not usable, disabling ipset usage in firewall.This is without sshguard service running, so looks like that might be the key to the issue.
Last edited by cmm11 (2021-07-01 13:05:13)
$20 Free Credit Hetzner - https://hetzner.cloud/?ref=fuVilhv403fA
Offline
#4 2021-07-01 13:24:38
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,267
Re: SSHGuard & firewalld , Could not initialize firewall
firewalld is no longer built with ipset support, I was hoping the emulation code in 0.9.4 would resolve the issue. What if you configure sshguard to use nftables?
Offline
#5 2021-07-01 14:29:21
- cmm11
- Member
- Registered: 2018-02-18
- Posts: 51
Re: SSHGuard & firewalld , Could not initialize firewall
firewalld is no longer built with ipset support, I was hoping the emulation code in 0.9.4 would resolve the issue. What if you configure sshguard to use nftables?
I could do that, i know nftables + sshguard is working fine for me on another server, but i like how simple it is to use and understand firewalld.
I guess i could just give fail2ban a go instead of sshguard.
$20 Free Credit Hetzner - https://hetzner.cloud/?ref=fuVilhv403fA
Offline
#6 2021-07-01 23:30:25
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,267
Re: SSHGuard & firewalld , Could not initialize firewall
Sshguard#firewalld has probably not been updated for the last two releases.
You could try rebuilding firewalld locally with iptables added to makedepends and then configure it to use the iptables backend at run time and see if that restores the old behavior.
Offline
#7 2021-08-05 17:15:43
- braderhart
- Guest
Re: SSHGuard & firewalld , Could not initialize firewall
People don't change; they only become more so.
Last edited by braderhart (2022-02-28 20:18:49)