Package: fail2ban Version: 0.9.7-2 Severity: important Tags: newcomer Hi,
When using fail2ban with firewalld, it can become impossible to restart firewalld, because a restart request propogates through fail2ban, and fail2ban.service has both iptables.service and firewalld.service listed for PartOf. firewalld conflicts with iptables, so this can seemingly never work right. There are two discussions online about this. First on the systemd list: https://lists.freedesktop.org/archives/systemd-devel/2016-March/036011.html And, a Fedora bug about the same problem: https://bugzilla.redhat.com/show_bug.cgi?id=1379141 This seems to maybe be further exacerbated by the fact that there is no iptables.service (it seems Debian users netfilter-persistent to handle all iptables starts and stops and such). I have been able to workaround it by removing iptables.service from the fail2ban.service, but I don't know enough about Debian policy on this sort of thing to make suggestions on this problem. But, given there doesn't seem to be an iptables.service ever, it probably just shouldn't be there in the first place. Another annoying side effect of this problem is that any package operations that have firewalld triggers will fail, leaving packages in an unconfigured/broken state. -- System Information: Debian Release: 9.1 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fail2ban depends on: ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii python3 3.5.3-1 Versions of packages fail2ban recommends: ii iptables 1.6.0+snapshot20161117-6 ii python 2.7.13-2 ii python3-pyinotify 0.9.6-1 ii python3-systemd 233-1 ii whois 5.2.15 Versions of packages fail2ban suggests: ii mailutils [mailx] 1:3.1.1-1 pn monit <none> ii rsyslog [system-log-daemon] 8.24.0-1 -- no debconf information