The officially official Devuan Forum!

You are not logged in.

#1 2022-05-17 18:25:14

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

UFW causes errors under Chimaera

Hello,

since upgrading from Beowulf to Chimaera, UFW keeps causing errors. When rebooting the system, I was able to photograph the error messages. Unfortunately, I can't do anything with these error warnings, because I don't know what to do exactly. But it is interesting that despite the error warning UFW remains active after booting the PC. Is this now a serious error, or can it be left at that?

However, on my other laptop, UFW is constantly disabled at boot up. That's why there is no error warning when the PC boots up.

Both laptops are running the default sysvinit system.

Everything ran fine under Ascii and Beowulf. There were no errors. But under Chimaera it seems to be different still unfortunately. It seems that under Chimaera not all errors are fixed yet.

As an attachment, I wanted to upload two photos where you can see the error warnings, but unfortunately I could not find a function how to upload the pictures here. Therefore I typed the start screen with the error warnings.

Failure Number 1:
Configure network interfaces...done.
Cleaning up temporary files...
Starting nftables: none.
Setting sensores limits...done.
Setting up X socket directories... /tmp/ .X11-unix /tmp/ .ICE-unix.
Setting up ALSA...done.
Starting firewall: ufw...iptables-restore v1.8.7 (nf_tables): Chain ´ufw-logging-deny´ does not exist
Error occurred at line: 75
Try ´iptables-restore -h´ or ´iptables-restore --help´ for more Information.
iptables-restore v1.8.7 (nf_tables): Chain ´ufw-skip-to-policy-input´ does not exist
Error occurred at line: 30
Try ´iptables-restore -h´ or ´iptables-restore --help´ for more Information.
iptables-restore: line 5 failed
...
Problem running ´/etc/ufw/before.rules´...
Problem running ´/etc/ufw/after.rules´...
failed
startpar: service(s) returned failure: ufw ... failed!
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Enabling additional executable binary formats: binfmt-support.
Setting up console font and keymap...done.
...
Failure Number 2:
Cleaning up temporary files ... /tmp.
Loading kernel module lp.
Loading kernel module ppdev.
Loading kernel module parport_pc.
Mounting local filesystems...done.
Activating swapfile swap, if any..done.
Cleaning up temporary files...
Starting up resolvconf.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf
done.
Starting: AppArmorLoading AppArmor profile...done.
.
Configuring network interfaces...done.
Cleaning up temporary files....
Setting up ALSA...done.
Setting sensors limits...done.
Starting nftables: none.
Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix.
Starting firewall: ufw...
iptables-restore v1.8.7 (nf-tables):
line 75: CHAIN_USER_ADD failed (No such file or directory): chain ufw-before-input
line 75: CHAIN_USER_ADD failed (No such file or directory): chain ufw-before-output
line 75: CHAIN_USER_ADD failed (No such file or directory): chain ufw-before-forward
line 75: CHAIN_USER_ADD failed (No such file or directory): chain ufw-not-local
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-input
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-output
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-input
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-output
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-forward
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-input
line 75: RULE_APPEND failed (No such file or directory): rule in chain ufw-before-input
line 75: RULE_APPEND failed (No such file or directory): rule in chain
iptables-restore v1.8.7 (nf_tables): Chain ´ufw-skip-to-policy-input´ does not exist
Error occurred at line: 30
Try ´iptables-restore -h´ or ´iptables-restore --help´ for more information.
iptables-restore: line 5 failed
...
Problem running ´/etc/ufw/before.rules´ ...Problem running ´/etc/ufw/after.rules´...
failed.
startpar: service(s) returned failure: ufw ... failed!
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Enabling additional executable binary formats: binfmt-support.
Setting up console font and keymap...done.
...

Offline

#2 2022-05-19 10:48:22

czeekaj
Member
Registered: 2019-06-12
Posts: 75  

Re: UFW causes errors under Chimaera

Instead of errors. Upon upgrading UFW was deactivated for me (issue being. if you don't notice for a time you have a more vulnerable system.)  I simply reactivated.
I noticed I am using ipv6 as well now.
Try removing and then re-adding the option to append to iptables.
after enabling ufw it seems to start fine on boot up.

I might just have to migrate to biting the bullet and learning iptables and nftables.
That way you have less overhead and less to worry about.

Last edited by czeekaj (2022-05-19 10:51:37)

Offline

#3 2022-05-22 15:43:09

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

czeekaj wrote:

Try removing and then re-adding the option to append to iptables.

Where exactly and where should I make a change? I have looked at all the files in the folders and got nowhere.

czeekaj wrote:

I might just have to migrate to biting the bullet and learning iptables and nftables.
That way you have less overhead and less to worry about.

Yes, you seem to be right. But unfortunately it is not that easy. Until it is, I will rather switch to another Linux than deal with Iptables and Nftables.

I hope that the bug will eventually go away after all. I mean, the other versions of Devuan had no problems with UFW.

Offline

#4 2022-05-22 23:10:12

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 136  

Re: UFW causes errors under Chimaera

It's not a universal problem on Chimaera as on my PC ufw does work OK under Chimaera/sysvinit (upgraded from Beowulf, where it also worked), obviously using the iptables compatibility layer (which is the default).
In /var/log/boot I get:

Sat Mar 28 13:36:57 2020: [....] Starting Setting kernel variables: sysctl??7[ ok 8??.
Sat Mar 28 13:36:57 2020: [....] Starting firewall: ufw...Setting kernel variables (/etc/ufw/sysctl.conf)...??7[ ok 8??done.
Sat Mar 28 13:36:57 2020: [....] Configuring network interfaces...??7[ ok 8??done.
Sat Mar 28 13:36:57 2020: [....] Cleaning up temporary files...??7[ ok 8??.
Sat Mar 28 13:36:57 2020: [....] Setting up ALSA...??7[ ok 8??done.
Sat Mar 28 13:36:57 2020: [....] Setting sensors limits...??7[ ok 8??done.
Sat Mar 28 13:36:58 2020: [....] Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix??7[ ok 8??.
Sat Mar 28 13:36:58 2020: INIT: Entering runlevel: 2

This suggest there is something specific in your setup that's triggering the error.

Are you using UFW in default mode or have you added rules?
What output do you get if you run:

sudo service ufw start

Have you tried reinstalling ufw and iptables?

On my mail server I set it up to use nftables when it was on Beowulf (now upgraded to Chimaera) and that also works. Unfortunately I've not found a simple nftables front-end to replace gufw though the nftables syntax is not that difficult.

Offline

#5 2022-05-23 13:50:12

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,386  

Re: UFW causes errors under Chimaera

Dev1User wrote:
Starting firewall: ufw...iptables-restore v1.8.7 (nf_tables): Chain ´ufw-logging-deny´ does not exist
Error occurred at line: 75

I don't use {G,}UFW but that looks like an invalid configuration file, probably from the older version. Move the file and create a new configuration from scratch.

Marjorie wrote:

Unfortunately I've not found a simple nftables front-end to replace gufw

GUFW has used nftables as the backend by default since beowulf: https://www.debian.org/releases/buster/ … l#nftables

Use the alternatives system to switch between iptables & nftables: https://wiki.debian.org/nftables#Revert … cy_xtables


To obtain a root shell use su -. Using just su will result in "command not found" messages.

Offline

#6 2022-05-23 16:48:50

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 136  

Re: UFW causes errors under Chimaera

Marjorie wrote:

Unfortunately I've not found a simple nftables front-end to replace gufw

Head_on_a_Stick wrote:

GUFW has used nftables as the backend by default since beowulf: https://www.debian.org/releases/buster/ … l#nftables

Use the alternatives system to switch between iptables & nftables: https://wiki.debian.org/nftables#Revert … cy_xtables

Yes I know that the default in Beowulf (and Chimaera) is that iptables uses the nft kernal backend, but it still uses iptables syntax. This is how my own PC is set up with ufw/gufw.
I think (and I may be wrong about this) is that gufw only uses and accepts iptables syntax rules on top of the translation layer iptables-nft.
If you just want to use nftables then you just put your nftables syntax rules in /etc/nftables.conf and you could probably get rid of the iptables packages which are installed by default.

Offline

#7 2022-05-23 19:13:46

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

My output in /var/log/boot looks like this:

Mon May  9 16:57:59 2022: [....] Starting Setting kernel variables: sysctl??7[ ok 8??.
Mon May  9 16:57:59 2022: [....] Setting up resolvconf.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
Mon May  9 16:57:59 2022: ??7[ ok 8??done.
Mon May  9 16:57:59 2022: [....] Starting firewall: ufw...Setting kernel variables (/etc/ufw/sysctl.conf)...??7[ ok 8??done.
Mon May  9 16:58:00 2022: [....] Configuring network interfaces...ifup: waiting for lock on /run/network/ifstate.eth0
Mon May  9 16:58:06 2022: ifup: interface eth0 already configured
Mon May  9 16:58:06 2022: ??7[ ok 8??done.
Mon May  9 16:58:06 2022: [....] Cleaning up temporary files...??7[ ok 8??.
Mon May  9 16:58:06 2022: [....] Setting up ALSA...??7[ ok 8??done.
Mon May  9 16:58:06 2022: [....] Setting sensors limits...??7[ ok 8??done.
Mon May  9 16:58:06 2022: [....] Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix??7[ ok 8??.
Mon May  9 16:58:06 2022: INIT: Entering runlevel: 2
Marjorie wrote:

Are you using UFW in default mode or have you added rules?

Marjorie wrote:

Have you tried reinstalling ufw and iptables?

No, I have not added my own rules. I use the default setting with UFW. I have already uninstalled and reinstalled UFW several times with all its dependencies. But the error still persists. It is because of UFW that the errors appear. If I disable UFW, then there are no more error warnings. If I enable it, then the errors come again when I boot the laptop. After booting the laptop, however, UFW remains active.

Output:

root@Lenovo:~# ufw status
Status: active
root@Lenovo:~# /usr/sbin/ufw status
Status: active
Marjorie wrote:

What output do you get if you run: sudo service ufw start

Output looks like this:

root@Lenovo:~# service ufw start
Starting firewall: ufw...Setting kernel variables (/etc/ufw/sysctl.conf)...Firewall already started, use 'force-reload'...done.

On my other laptop, where UFW is constantly disabled at startup, I removed Iptables completely with its dependencies. This laptop now has no internet connection. With the removal of Iptables was also removed Nftables, Connman internet service, UFW .... . I can't connect to the internet with it now. It looks like I have to reinstall Devuan completely. Or is there another step to establish an internet connection?

Offline

#8 2022-05-23 19:55:06

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

Head_on_a_Stick wrote:

I don't use {G,}UFW but that looks like an invalid configuration file, probably from the older version. Move the file and create a new configuration from scratch.

Unfortunately, I don't know what file exactly to move now and how to create something new.

Offline

#9 2022-05-24 13:20:16

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

Dev1User wrote:

On my other laptop, where UFW is constantly disabled at startup, I removed Iptables completely with its dependencies. This laptop now has no internet connection. With the removal of Iptables was also removed Nftables, Connman internet service, UFW .... . I can't connect to the internet with it now. It looks like I have to reinstall Devuan completely. Or is there another step to establish an internet connection?

I have fixed the internet problem. I then started a trial. I installed Iptables, UFW, again. But after booting UFW was not activated. Then again removed Iptables, Nftables, UFW. This time installed only Nftables. After that UFW. UFW installed Iptables as a required package. After that UFW activated and after booting the laptop UFW was deactivated again. Through the links of Head_on_a_Stick I came to the Firwall Firewalld and its graphical interface Firewall-config. I could not start this firewall, it was always disabled. This firewall seems to be really only for SystemD. Could it perhaps be that Chimaera is no longer compatible with older hardware? My second laptop is a Dell. Although Beowulf was still running fine. Chimaera runs, but UFW seems to have problems with it.

On my first laptop, a Lenovo, UFW also has problems. It's strange that an upgrade from Beowulf to Chimaera suddenly causes problems on both devices.

Offline

#10 2022-05-24 21:53:49

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 136  

Re: UFW causes errors under Chimaera

If you look at the dependencies: GUFW depends on UFW, UFW depends iptables, iptables depends on nftables.

As, at this stage you only want a basic firewall, can I suggest you just install the nftables deb and a simple /etc/nftables.conf to specify the basic rules? Don't reinstall the others.

If you install nftables there are a number of example configurations including one for a simple workstation at /usr/share/doc/nftables/examples/workstation.nft. As root, copy this to /etc/nftables.conf.

This file contains the following:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;

		# accept any localhost traffic
		iif lo accept

		# accept traffic originated from us
		ct state established,related accept

		# activate the following line to accept common local services
		#tcp dport { 22, 80, 443 } ct state new accept

		# accept neighbour discovery otherwise IPv6 connectivity breaks.
		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

		# count and drop any other traffic
		counter drop
	}
}

You should then check that nftables is enabled and running.

sudo service nftables status

If it is then it should also automatically start when the system is booted and provide a firewall.
You can turn it off and on with:

sudo service nftables stop
sudo service nftables start

Going beyond a simple firewall you might then need to open ports in the the firewall for specific services (syntax as in line 16, currently commented out). e.g open port 22 for tcp if you want to be able to ssh into the machine.
On my PC I also open ports to allow my Brother printer access for scanning and printing and to get system time (from, in my case, chrony).
In these cases I also lock down the IP of the machine(s) that can access the port.

Last edited by Marjorie (2022-05-24 21:54:55)

Offline

#11 2022-05-24 22:45:22

GlennW
Member
Registered: 2019-07-18
Posts: 234  

Re: UFW causes errors under Chimaera

If you search these pages you may also find more info on getting nftables to run.

There's plenty there.

Offline

#12 2022-05-25 15:13:32

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

So actually I just wanted to get UFW running, and not mess around with nfttables. I have neither the desire nor the time to deal with it in detail. Nevertheless, thank you Marjorie for this tip. I'll keep it in mind and when the time is right, I'll take a closer look. May be that nfs settings don't seem so hard for others, but for newbies it's just different.

I made two attempts yesterday in a virtual machine. On the first attempt I installed Ascii. Then upgraded Ascii to Beowulf and then to Chimaera. Then activated UFW and when booting the system there were no errors, but then when I looked in the terminal to see if it remained activated, it finally did not. The terminal said inactive.

On the second try I reinstalled Chimaera completely. Activated UFW and restarted the virtual machine. When booting, there were no problems and when I looked in the terminal, it actually said active.

So probably I have to reinstall Devuan Chimaera for this to work. But that can not be that I now have to set up everything completely new after every new version in case there are problems. This can't be true, it takes a lot of time and is very stressful and annoying.

Offline

#13 2022-05-25 23:36:38

GlennW
Member
Registered: 2019-07-18
Posts: 234  

Re: UFW causes errors under Chimaera

Hi, it's more than likely to be the start-up scripts, I came across a very similar problem.

And the fixes are in the other pages on this forum.

Particularly, https://dev1galaxy.org/viewtopic.php?id=2889 (post #6 and onwards.)

You may also find these examples hard to find... /usr/share/doc/nftables/examples/...
Because, I couldn't find them either, but I can't remember if it was ascii, beowulf, chimaera or ceres.

Offline

#14 2022-05-27 01:56:43

pcalvert
Member
Registered: 2017-05-15
Posts: 108  

Re: UFW causes errors under Chimaera

I recommend giving FireHOL a try. It uses a simple, human-readable configuration file.

Package name: firehol

More info:
https://firehol.org/
https://packages.debian.org/stable/firehol

For most desktop and laptop computers, the default configuration should be sufficient. For a server you would need to configure the firewall according to the services that are running on it.


“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Offline

#15 2022-05-30 16:10:23

Dev1User
Member
Registered: 2022-05-16
Posts: 9  

Re: UFW causes errors under Chimaera

So I have now completely solved the UFW problem. After several different attempts in the virtual machine, I noticed the problem. Actually, the problem cause was constantly seen. First a pure Beowulf installation and then an upgrade to Chimaera or even a pure Chimaera installation, brought success. The culprit was nftables. A new, clean Chimaera installation does not contain nftables. Only when I completely removed nftables on my two laptops, the error messages disappeared immediately. UFW is now running fine, with no problems. There are no problems when booting.

I have never heard about Firehol. I will have a look at the links. Thanks pcalvert.

Offline

Board footer