Bug 12791

Summary: Firewall Options: core 165 (testing) : 3 options not defaulted when doing a restore from 161
Product: IPFire Reporter: Rejjy_S <rejeancgrpq>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: Balancing    
Priority: Will affect an average number of users CC: michael.tremer, peter.mueller, rejeancgrpq, stefan.schantl
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description Rejjy_S 2022-03-05 05:11:03 UTC
Not sure if iptables was the correct component to pick, and not sure if this is an actual bug seeing that this is core 165 (testing); but may also be applicable to core 164.

On ver 164 TEST and 165 TEST, there are 3 Firewall options.
‘Log dropped packets classified as INVALID by connection tracking’
‘Log dropped spoofed packets and marsians’
and
‘Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)’

which end up having NO DEFAULT VALUE set (no ON or OFF) after doing a backup restore from 159 or 161.

These can be set manually, saved, and the set values correctly show up after a reboot.

However, when I set these three options to ON, save and reboot, 
a strange message appeared on the console screen right after 
'Setting hostname to ...'  , and 
'Setting up Firewall'.

---------------
/etc/rc.d/rcsysinit.d/S85firewall: line 177: /var/lib/location/ipset/CC_XD.ipset4: No such file or directory
iptables v1.8.7 (legacy): Set CC_XD doesn't exist.

Try 'iptables -h' or 'iptables --help' for more information
iptables v1.8.7 (legacy): Set CC_XD doesn't exist.

Try 'iptables -h' or 'iptables --help' for more information
iptables v1.8.7 (legacy): Set CC_XD doesn't exist.

Try 'iptables -h' or 'iptables --help' for more information
iptables v1.8.7 (legacy): Set CC_XD doesn't exist.

Try 'iptables -h' or 'iptables --help' for more information
INIT: Entering runlevel 3

----------------

If I set those 3 options to OFF, saved an reboot, the said 'Set CC_XD doesn't exist' messages no longer appear.


https://community.ipfire.org/t/restore-backup-issue-firewall-options/7362
Comment 1 Rejjy_S 2022-03-05 06:15:26 UTC
Peter, I added you to the email list because the 
'iptables v1.8.7 (legacy): Set CC_XD doesn't exist.'

is related to turning ON the option of.
‘Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)’
a new feature which I believe you wrote about not long ago. 

Manually enabling the other two non-defaulted options alone
‘Log dropped packets classified as INVALID by connection tracking’
‘Log dropped spoofed packets and marsians’
does not produce the said messages.
Comment 2 Stefan Schantl 2022-03-05 18:16:28 UTC
Hello Rejjy,

I've sent a patch to the mailing list to solve the issue with the three newly introduced options and no default values for them.

https://patchwork.ipfire.org/project/ipfire/patch/20220305181339.4389-1-stefan.schantl@ipfire.org/

Let's see why this CC_XD messages appears on boot.

Best regards,

-Stefan
Comment 3 Stefan Schantl 2022-03-05 18:23:37 UTC
The CC_XD messages came from the highly experimental c165 image.

So nevermind, they are not part of c164, are part of the current development process will be fixed until c165 will be released.

- Stefan
Comment 4 Rejjy_S 2022-03-05 18:55:17 UTC
Thanks for update Stefan.

I still see newest 164 testing as being Feb26.
Has the IPS restore fix been applied to it and a new 164 testing available for check out ?

Last I heard I believe MT was possibly going to keep the IPS portion as it was on 163 in order to make 164 stable available soon, thus the move to next.
Comment 5 Rejjy_S 2022-03-08 01:46:54 UTC
Hi Stefan

I'm just finishing testing the latest ver 164 master/b69659af
full install from the .iso 

All three have default values set on startup. 

However, the 
‘Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)’
which your patch ( re comment 2) required it to be set to OFF, is set to TRUE.

Also, when doing a restore from my 161 backup puts these back into a blank no default state.  Appears the patch never made it to the 164 164 master/b69659af
Comment 6 Stefan Schantl 2022-03-08 05:15:46 UTC
Hello Rejjy,

I can confirm that the patch does not make it into C164, but it is already merged into C165 which should be okay - only installations with an older backup are affected, so would not see this as a blocker for C164.

The default value for new installations for dropping hostile networks should be set to ON, on existing or restored machines that should be OFF which is correct here.

Thanks for testing and your feedback.

Best regards,

-Stefan
Comment 7 Michael Tremer 2022-03-10 09:52:52 UTC
(In reply to Stefan Schantl from comment #6)
> Hello Rejjy,
> 
> I can confirm that the patch does not make it into C164, but it is already
> merged into C165 which should be okay - only installations with an older
> backup are affected, so would not see this as a blocker for C164.

The patch is included in c164.

(In reply to Rejjy_S from comment #1)
> Peter, I added you to the email list because the 
> 'iptables v1.8.7 (legacy): Set CC_XD doesn't exist.'

And this message should be gone in latest builds of c165.
Comment 8 Stefan Schantl 2022-03-13 16:33:14 UTC
I'm going to close this bug, because the fix has been shipped with Core 164.
Comment 9 Rejjy_S 2022-03-15 03:30:02 UTC
Don't think this is really considered fixed.

‘Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)’
which your patch ( re comment 2) required it to be set to OFF, is set to TRUE. 

In 164 I found issues with IPS updating forever with it set to the default ON in core 164.  Setting this to OFF resolved the issue in my case.

See community 
[Core 164] IPS Ruleset update in progress with no end. upgrade from 163 to 164