Hi Trent,
It appears firewalld is being used as the iptables-related error messages
are coming from firewalld. If you set VERBOSE = 3 in your fwknopd.conf
file and do a "service fwknopd restart", fwknopd will log its configuration
settings and will also log the firewall-cmd command lines being executed at
startup, and when a valid SPA packet is received.
I'm not sure why there are so many errors in the logs however. I admit
that I do not have any experience with firewalld yet, so I don't have much
more to add at this point.
If you bump up the VERBOSE value and send that output to the list, it may
give more to go on.
Regards,
-Damien
On Mon, Feb 23, 2015 at 9:23 AM, Trent Hampton <[email protected]>
wrote:
> Greetings,
>
> After getting the most recent code from githup I removed the perl legacy
> spec files, tarred up the source, and ran an "rpmbuild -ta
> fwknop-2.6.5.tar.gz" to create the rpms with which I installed fwknop on
> two centos7 servers. From the log messages below I believe that you can see
> that the fwknopd server is configured to use firewalld. However, it appears
> that when fwknopd receives an SPA packet it tries to write iptables rules
> and fails.
>
> Is there something else I need to do to use firewalld?
>
> Feb 20 17:10:10 server7 fwknopd[2209]: Run directory: /var/run/fwknop does
> not exist. Attempting to create it.
> Feb 20 17:10:10 server7 fwknopd[2209]: Successfully created Run directory:
> /var/run/fwknop
> Feb 20 17:10:10 server7 fwknopd: Starting fwknopd: [ OK ]
> Feb 20 17:10:10 server7 fwknopd[2210]: Starting fwknopd
> Feb 20 17:10:10 server7 fwknopd[2210]: Using Digest Cache:
> '/var/run/fwknop/digest.cache' (entry count = 0)
> Feb 20 17:10:10 server7 systemd: Started LSB: start and stop fwknopd.
> Feb 20 17:10:10 server7 firewalld: 2015-02-20 17:10:10 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' failed:
> iptables v1.4.21: Couldn't load target `FWKNOP_INPUT':No such file or
> directory
> Try `iptables -h' or 'iptables --help' for more information.
> Feb 20 17:10:10 server7 firewalld: 2015-02-20 17:10:10 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -F FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -X FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -L FWKNOP_INPUT -n' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 fwknopd[2210]: Added jump rule from chain: INPUT
> to chain: FWKNOP_INPUT
> Feb 20 17:10:12 server7 fwknopd[2210]: firewalld 'comment' match is
> available
> Feb 20 17:10:12 server7 fwknopd[2210]: Sniffing interface: ens3
> Feb 20 17:10:12 server7 fwknopd[2210]: PCAP filter is: 'udp port 62201'
> Feb 20 17:10:12 server7 fwknopd[2210]: Starting fwknopd main event loop.
> Feb 20 17:10:15 server7 fwknopd[2210]: (stanza #1) SPA Packet from IP:
> 135.72.227.124 received with access source match
> Feb 20 17:10:15 server7 firewalld: 2015-02-20 17:10:15 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -N FWKNOP_INPUT' failed:
> iptables: Chain already exists.
> Feb 20 17:10:15 server7 firewalld: 2015-02-20 17:10:15 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C FWKNOP_INPUT -t filter -p 6 -s
> 135.72.227.124 -d 0.0.0.0/0 --dport 22 -m comment --comment
> _exp_1424481045 -j ACCEPT' failed: iptables: Bad rule (does a matching rule
> exist in that chain?).
> Feb 20 17:10:15 server7 fwknopd[2210]: Added Rule to FWKNOP_INPUT for
> 135.72.227.124, tcp/22 expires at 1424481045
>
> Trent
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
