[SOLVED] arno firewall not starting

CPUnltd · 2009-12-29 09:43:44

I changed VERY few options in the conf file... but even by default, it fails to start via "/etc/rc.d/arno-iptables-firewall start" haven't rebooted yet (big download happening overnight...) but could someone give me a starting poit to figuring this out? there is no error output... just a big, red FAIL...

EDIT: so no one has to scroll through the entire thread to find out how this got fixed, I turned on the NAT feature without setting the IP for it to use, so it crapped on me... I turned NAT off (for now, because I know I will need it for VirtualBox) and the firewall starts just fine. Thanks to everyone involved for your help.

Last edited by CPUnltd (2009-12-31 17:28:50)

jac · 2009-12-29 10:04:06

If you look in the script you can see what it is trying to do. I would try running those commands without the output redirect to /dev/null. You should be able to see some error message then.

CPUnltd · 2009-12-29 19:52:56

unfortunately, I am not seeing where my output is being sent to /dev/null... I searched the entire conf file and don't see anything revolving around output. This firewall thing has been a genuine nightmare for me between this, gshield, firehol and firestarter, I just can't seem to find anything consistantly functional that won't block half of what I wanna do and is generally simple to configure. Not trying to keep the government out, just looking for basic protection. Nothing is unhackable, but still.

anrxc · 2009-12-29 20:05:50

After executing start did you verify that your firewall rules are really emtpy (iptables --list)? There's a big possibility that the init script is at fault.

jac · 2009-12-29 20:27:05

Sorry about that, perhaps that one doesn't redirect it to /dev/null. You should at least be able to narrow it down into the "start" routine. I would follow anrxc's suggestions, as I know nothing about the program in question, just giving general ideas.

CPUnltd · 2009-12-30 07:44:48

so iptables.rules is supposed to be empty? that was something that was not made obvious to me. I'm also at a loss for why (on the system I do have this firewall working on) I can't connect to a large number of sites that seem random to me (granted, the only one that really counts at this point is gmail)... I may open up a thread for that since all searches have come up /dev/null...

anrxc · 2009-12-30 16:08:11

so iptables.rules is supposed to be empty? that was something that was not made obvious to me

What are you talking about?

If the firewall script did not start then it would not apply any iptables rules. I told you to double-check if your rules are really emtpy. Because there is a good chance that the rules were applied but the arno init script provided by the packager displayed the status wrong. Advice that jac gave you was also good, the init script does send the output of the arno firewall to /dev/null... ah, if only you knew what you are doing...

CPUnltd · 2009-12-31 02:44:18

that's part of the point, I don't know what I'm talking about. Every distro I have dealt with has had shorewall built into their control center where I could set the few rules I actually feel are necessary for decent protection and I would be done. Arch isn't so simple on that note (haven't even seen a control center, though I haven't really looked all that hard either). So if I am understanding what you are saying, there is a chance that the firewall is up, but arno is saying it's not? ... I'd like to know what I'm doing, but with responses from people like you, anrxc, it makes me wonder if it's really worth asking about.

I would assume you notice the low number of posts I have here... which one who is considerate would possibly assume I'm somewhat new around here and maybe to linux in general. I'd rather be treated like I don't know when I do than as if I did know when I don't. An insult about a topic is far less of a slap in the face than actual ignorance on a subject.

I'd appreciate responses that are helpful and knowledgeable vs insulting and condescending. Hence what a forum is actually for. I'll end my conversation on THAT topic now, as I am not here to argue understanding... I'm here to figure this out. Though I am very close to just deleting the program and looking for something I can better figure out. I tried this program after basically failing to properly setup iptables directly via the tutorial on the wiki (the rules I set seemed to shut the network down completely). Don't get me wrong... once I get it, I get it... but getting past the first step is what I'm here for. Anyway, if I can't get this figured out, I'll just work with another program and stop posting on this thread. I don't wanna come of like a jerk, but this is in response to anrxc's post. If there is anyone out there willing to help, thanks in advance. All others, please don't bother.

anrxc · 2009-12-31 16:27:04

I told you to execute a command which will help you debug. Did you execute it and report back? No.
Another person told you how to debug the firewall script. You claimed the output is not sent to /dev/null, when in fact it is.

How can we assist you further without drawing a picture?

CPUnltd · 2009-12-31 17:00:05

the situation is that I asked a question about your suggestion and you took it as me being an idiot... but ANYWAY, to move forward with this situation...

iptables --list:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and as far as /dev/null goes. I have checked for output and it is empty (used 3 separate text editors... how do I change things so I can have the output sent to a file to properly figure out what it's doing? I was under the impression ahead of this that /dev/null stayed empty and was just a file used to "erase" or "eliminate" unnecessary info. Am I wrong about that?

almost forgot... I also checked the script for any signs of /dev/null, and I was unable to find it... so what setting do I change to redirect the output to an actual file/log? I opened the script in a couple of text editors and did a search for /dev/null and null and came up empty....

Last edited by CPUnltd (2009-12-31 17:03:02)

anrxc · 2009-12-31 17:03:15

The output sent there is lost. The idea was for you to temporarily not send the output there so you can read it... but anyway you can do that in another way.

As root call the arno firewall your self:

/usr/sbin/arno-iptables-firewall start

It is a very informative script in general and I hope it will tell you what exactly went wrong (for something did go wrong because your rules were really left emtpy, not one was applied).

CPUnltd · 2009-12-31 17:12:13

that's especially strange then, because I have this installed on my laptop AND desktop. The laptop has the failing script, while the desktop script seems to be working fine (though it does block me from using gmail and such, which seems a common problem with arno from the searches i have done thus far). thing is, the iptables --list output is the SAME in both places, but I see output within the arno interface of blocked ip addresses and other general data that is realtime... also, when it is on, I have the slowdown or inaccessibility of certain websites that work fine when it's off. If both have empty iptables rules, the confusion just reached a whole new level.

CPUnltd · 2009-12-31 17:15:42

the error I just got when executing as root is:

"ERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!"

so I will turn off NAT since I don't have anything set up for that just yet and see if that fixes things...

CPUnltd · 2009-12-31 17:26:30

ok, the NAT thing fixed this issue, so I will label it solved... now I'm going to start a thread about the empty iptables rules and the gmail issue...

Thanks... no hard feelings, but please consider situations where you can misinterpret or be misinterpreted (as this one was) and go down the road you did. I followed, so I am to blame as well. But still. Anyway, thanks.

anrxc · 2009-12-31 17:43:43

I used arno's script on one of my servers for a lot of years without any problems, yet you mention a lot of searches with issues...

If you explicitly didn't block certain hosts or ports it should not interfere with your outgoing connections. The issue you describe sound like MTU problems, but arno's script does not modify MTU of network interfaces, only thing that comes to mind is that you missconfigured some other aspects of the firewall (as you did with NAT)... but let's leave that discussion for the new thread you will open.

If all you want to do is protect your ports and open an ocassional service or two, and ocasionally share your Internet connection with others (NAT) you can do much much simpler than arno's firewall. For example I use this firewall script on my laptop to lock it when travelling, and if needed to share my connection with others:

http://sysphere.org/~anrxc/local/sources/rc.firewall
usage: /etc/rc.d/firewall {start|stop|restart|status} [nat]

/etc/rc.d/firewall start # start the firewall
/etc/rc.d/firewall start nat # start the firewall and enable NAT

Last edited by anrxc (2010-01-01 01:56:02)

Arch Linux

#1 2009-12-29 09:43:44

[SOLVED] arno firewall not starting

#2 2009-12-29 10:04:06

Re: [SOLVED] arno firewall not starting

#3 2009-12-29 19:52:56

Re: [SOLVED] arno firewall not starting

#4 2009-12-29 20:05:50

Re: [SOLVED] arno firewall not starting

#5 2009-12-29 20:27:05

Re: [SOLVED] arno firewall not starting

#6 2009-12-30 07:44:48

Re: [SOLVED] arno firewall not starting

#7 2009-12-30 16:08:11

Re: [SOLVED] arno firewall not starting

#8 2009-12-31 02:44:18

Re: [SOLVED] arno firewall not starting

#9 2009-12-31 16:27:04

Re: [SOLVED] arno firewall not starting

#10 2009-12-31 17:00:05

Re: [SOLVED] arno firewall not starting

#11 2009-12-31 17:03:15

Re: [SOLVED] arno firewall not starting

#12 2009-12-31 17:12:13

Re: [SOLVED] arno firewall not starting

#13 2009-12-31 17:15:42

Re: [SOLVED] arno firewall not starting

#14 2009-12-31 17:26:30

Re: [SOLVED] arno firewall not starting

#15 2009-12-31 17:43:43

Re: [SOLVED] arno firewall not starting

Board footer