Bug#1121939: Fwd: Bug#1121939: firehol doesn't start after upgrade to trixie
Forwarded Message Subject: Re: Bug#1121939: firehol doesn't start after upgrade to trixie Date: Mon, 8 Dec 2025 15:10:24 + (GMT) From: Edmund H. Ramm To: [email protected] Hi Jerome, Jerome BENOIT writes: [..] Firehol actually works only with the legacy method. A support for the nf method may ask for a full recoding. c'est ne vrai pas. When I set up this system here in 2020, the only net- filter programs the Debian installer installed were the non-legacy versions. And all my kernels (All compiled by me; the standard Debian kernel is unusable for me as it lacks many features I need.) never had "Legacy netfilter tables" built in. Prior to trixie Firehol worked fine and trouble free with "only" nf-filtering enabled in the kernel and the then only present non-legacy netfilter programs. When I, after firehol stopped working after the upgrade to trixie, "hacked" /usr/libexec/firehol/firehol to use the non-legacy netfilter commands, firehol worked o.k. again here! The upgrade to trixie installed, among many other things, the "legacy" versions of the netfilter programs and a new firehol version. And firehol stopped working, because it now calls the netfilter-legacy programs, which in turn need "Legacy netfiltering" enabled in the kernel. So: Using "which netfilter" instead of "which netfilter-legacy" etc. in the firehol install script should make firehol working without the ip_filter module the netfilter-legacy version looks for. Provided the non-legacy netfilter programs are installed. [...] I will see before if ip_tables.ko can be still present in the linux-image packages. [...] It is, in the Debian kernel. The Debian kernel is of no use to me. But that's the reason I'm the first one to experience problems. Most others seem to be satisfied with the standard Debian kernel. Yours sincerely, Eddi ._._. -- Zu Leute blickten aufeinander, in der endgültigen Verwunderung flüchtig. -babelfish e-mail: dj6ux AT posteo DOT de OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1121939: firehol doesn't start after upgrade to trixie
Hi Eddi, On 07/12/2025 23:16, Edmund H. Ramm wrote: Hello Jerome, after I compiled a kernel with "Netfilter legacy tables support" enabled, firehol works with iptables-legacy, iptables-legacy-restore and iptables-legacy-save. good to know. But it is a ticking time-bomb. Should the kernel people one day decide to drop "Netfilter legacy tables support" (like the Debian people decided to drop i386 support), We are dealing here with two very different kinds of support with different supports: the former depends on the Linux team, the latter on the Debian team. The code for the Netfilter stuff is very likely to stay and its support to stale as this stuff has been deprecated in favor of the nf version. firehol won't start any longer, because iptables-legacy won't find the module ip_tables.ko. It is recommended to build and to tune your own kernel. I think it would be more flexible if the firehol installation script detects the actual ip filtering method used (legacy or nf) and selects the proper iptables commands (with or without "legacy") based on its finds. Firehol actually works only with the legacy method. A support for the nf method may ask for a full recoding. If you don't have further concerns, you may consider the "bug" solved. Indeed. But I will not close it now because I will see before if ip_tables.ko can be still present in the linux-image packages. Furthermore I may add a comment in the debian README file. Thank you very much for your support and patience. likewise, bon courage, Jerome Yours sincerely, Eddi ._._. -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/[email protected] AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1121939: Fwd: Bug#1121939: firehol doesn't start after upgrade to trixie
Forwarded Message Subject: Re: Bug#1121939: firehol doesn't start after upgrade to trixie Date: Sun, 7 Dec 2025 22:16:10 + (GMT) From: Edmund H. Ramm To: [email protected] Hello Jerome, after I compiled a kernel with "Netfilter legacy tables support" enabled, firehol works with iptables-legacy, iptables-legacy-restore and iptables-legacy-save. But it is a ticking time-bomb. Should the kernel people one day decide to drop "Netfilter legacy tables support" (like the Debian people decided to drop i386 support), firehol won't start any longer, because iptables-legacy won't find the module ip_tables.ko. I think it would be more flexible if the firehol installation script detects the actual ip filtering method used (legacy or nf) and selects the proper iptables commands (with or without "legacy") based on its finds. If you don't have further concerns, you may consider the "bug" solved. Thank you very much for your support and patience. Yours sincerely, Eddi ._._. -- Zu Leute blickten aufeinander, in der endgültigen Verwunderung flüchtig. -babelfish e-mail: dj6ux AT posteo DOT de OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1121939: firehol doesn't start after upgrade to trixie (diff)
Hello, On 07/12/2025 01:17, Edmund H. Ramm wrote: Cher ami Benoit, this is what I find on my machine: /root # ls -alF /usr/sbin/iptables* lrwxrwxrwx 1 root root 26 Dec 4 2020 /usr/sbin/iptables -> /etc/alternatives/iptables* -rwxr-xr-x 1 root root 7052 Aug 12 2023 /usr/sbin/iptables-apply* lrwxrwxrwx 1 root root 20 Nov 20 2024 /usr/sbin/iptables-legacy -> xtables-legacy-multi* lrwxrwxrwx 1 root root 20 Nov 20 2024 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi* lrwxrwxrwx 1 root root 20 Nov 20 2024 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi* lrwxrwxrwx 1 root root 17 Nov 20 2024 /usr/sbin/iptables-nft -> xtables-nft-multi* lrwxrwxrwx 1 root root 17 Nov 20 2024 /usr/sbin/iptables-nft-restore -> xtables-nft-multi* lrwxrwxrwx 1 root root 17 Nov 20 2024 /usr/sbin/iptables-nft-save -> xtables-nft-multi* lrwxrwxrwx 1 root root 34 Dec 4 2020 /usr/sbin/iptables-restore -> /etc/alternatives/iptables-restore* lrwxrwxrwx 1 root root 17 Nov 20 2024 /usr/sbin/iptables-restore-translate -> xtables-nft-multi* lrwxrwxrwx 1 root root 31 Dec 4 2020 /usr/sbin/iptables-save -> /etc/alternatives/iptables-save* lrwxrwxrwx 1 root root 17 Nov 20 2024 /usr/sbin/iptables-translate -> xtables-nft-multi* i.e. the iptables-commands which work fine with firehol are four years older than the "legacy" variants. Can you send a diff(1) file of your changes ? /usr/libexec/firehol/firehol: 263,266d262 < IPTABLES_CMD=/usr/sbin/iptables < IPTABLES_SAVE_CMD=/usr/sbin/iptables-save < IPTABLES_RESTORE_CMD=/usr/sbin/iptables-restore < I inserted the above right at the start of the "GLOBAL" section. Very bad idea because those changes may not be backup and they may disappear at the next upgragd. The variables are actually set in /usr/lib/firehol/install.config . They are set via a which . This choice allows to over come the programmed disapereance of the /sbin folder in favour of the /usr/sbin/folder . Whatever. Here is the concerned lines. IPTABLES_CMD="`which iptables-legacy`" IPTABLES_RESTORE_CMD="`which iptables-legacy-restore`" IPTABLES_SAVE_CMD="`which iptables-legacy-save`" The iptables-legacy[,-restore,-save] are links to xtables-legacy-multi on my bookworm box and in Sid. On the other hand, the iptables[,-restore,-save] are alternative (see update-alternatives(1)). The Firehol suite works only with the legacy stuff. At this stage, I suspect some messup on your side (I know by experience it can happen very quickly). In particular your xtables-legacy-multi seems to be a link (as suggests the star attached to it in you output of " ls -alF /usr/sbin/iptables* "). Can you double check that your iptables-legacy[,-restore,-save] are the really the expected one ? Cheers, Jerome PS: please let keep sharing the issue on bugs.debian.org . Yours sincerely, Eddi ._._. -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/[email protected] AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1121939: firehol doesn't start after upgrade to trixie
Package: firehol
Version: 3.1.8+ds-1
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
A distribution upgrade from bookworm to trixie.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I looked at several config files but couldn't find anything wrong. I
contacted Jerome, and he suggested submitting this bug report.
* What was the outcome of this action?
Remains to be seen, this is only the first submission of a bug report. I
searched the web first but seem to be the only one with this issue.
* What outcome did you expect instead?
I hope my problem can be solved.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.18.0 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages firehol depends on:
ii firehol-common 3.1.8+ds-1
ii init-system-helpers 1.69~deb13u1
Versions of packages firehol recommends:
ii fireqos 3.1.8+ds-1
Versions of packages firehol suggests:
ii firehol-doc3.1.8+ds-1
ii firehol-tools 3.1.8+ds-1
pn ulogd2
-- Configuration Files:
/etc/default/firehol changed:
START_FIREHOL=YES
WAIT_FOR_IFACE=""
FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0
/etc/firehol/firehol.conf changed:
version 6
interface4 eth0 ethernet
protection strong
policy drop
client all accept
server smtp accept src 192.168.1.1
server syslog accept src 192.168.1.1
server all reject src 192.168.1.1 dst 224.0.0.1
server all reject dst 192.168.1.255
server all reject dst 255.255.255.255
server all reject dst 224.0.0.251
server ssh accept src 192.168.1.20
server ssh accept src 192.168.1.130
server ssh accept src 192.168.1.132
server syslog accept src 192.168.1.131
server all accept src 192.168.1.150
interface4 ipsec+ ipsec
protection strong
policy drop
client all accept
server custom discard udp/9 default accept src 44.148.129.34
interface4 vti+ vti
protection strong
policy drop
client all accept
interface4 tun+ tuntap
protection strong
policy drop
client all accept
interface4 sl0 slip0
client all accept
server all accept src 44.0.0.0/8
/etc/init.d/firehol changed:
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=firehol
DESC="firewall"
SCRIPTNAME=/etc/init.d/$NAME
test -x /usr/sbin/firehol || exit 0
START_FIREHOL=NO
export START_FIREHOL
[ -r /etc/default/firehol ] && set -a && . /etc/default/firehol
. /lib/init/vars.sh
. /lib/lsb/init-functions
VERBOSE=yes
case "$START_FIREHOL" in
NO|no)
START_FIREHOL=NO
;;
AUTO|auto)
START_FIREHOL=AUTO
;;
*)
START_FIREHOL=YES
;;
esac
do_metastart () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 2 010 if firewall is delegated to a third-party
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
[ "$START_FIREHOL" = "AUTO" ] && return 2
/usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1
}
do_start () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
/usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1
}
do_metastop () {
# return
# 0 000 if firewall has been cleaned up properly
# 1 001 if firewall could not be cleaned up properly
# 2 010 if firewall is delegated to a third-party
[ "$START_FIREHOL" = "AUTO" ] && return 2
/usr/sbin/firehol stop > /dev/null 2>&1 || return 1
}
do_stop () {
# return
# 0 000 if firewall has been cleaned up properly
# 1 001 otherwise
/usr/sbin/firehol stop > /dev/null 2>&1 || return 1
}
do_condrestart () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
/usr/sbin/firehol condrestart "$@" > /dev/null 2>&1 || return 1
}
COMMAND="$1"
[ "$COMMAND" ] && shift
case "$COMMAND" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_metastart "$@"
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
