(g)ufw and default 4.9 kernel

[Forum Admin anticapitalista]

Running with default antiX-19 series, running sudo ufw enable gives an error.
Previously, we suggested upgrading to a 4.19 or later kernel.

However, it may not be necessary. Instead just switch to using legacy iptables.
To do this, in a terminal type each line separately.

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Could someone confirm this actually does do the job.

Also, for those of you with connmann wifi issues, try the above. It *might* work to get you connected.

• This topic was modified 3 years, 3 months ago by anticapitalista. Reason: Clarified instructions

Philosophers have interpreted the world in many ways; the point is to change it.

antiX with runit - leaner and meaner.

[Moderator caprea]

Helpful

Up

0

::

Everythings fine here with 4.9.193-antix.1-amd64-smp

System:
  Host: antix1 Kernel: 4.9.193-antix.1-amd64-smp x86_64 bits: 64 
  compiler: gcc v: 8.3.0 
  parameters: BOOT_IMAGE=/boot/vmlinuz-4.9.193-antix.1-amd64-smp 
  root=UUID=c3eb5f71-f8ea-46f1-9831-fbcdef1e77b6 ro vga=791 quiet 2 
  Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 
  Distro: antiX-19_x64-full Marielle Franco 16 October 2019 
  base: Debian GNU/Linux 10 (buster) 

$ sudo ufw enable
Firewall is active and enabled on system startup
$ sudo ufw status
Status: active

Thanks!

[Member VW]

Helpful

Up

0

::

Yes, but the problem used to show up again after every reboot.

“These are the times that try men's souls" - Thomas Paine

[Moderator caprea]

Helpful

Up

0

::

Hmm, not here. antiX-19-runit_386-base for example, right after boot.

$ sudo ufw status
[sudo] Passwort für helga: 
Status: active
helga@antix1:~
$ sudo ufw enable
Firewall is active and enabled on system startup
helga@antix1:~
$ inxi -zv7
System:
  Host: antix1 Kernel: 4.9.200-antix.1-486-smp i686 bits: 32 compiler: gcc 
  v: 8.3.0 Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 
  Distro: antiX-19-runit_386-base Marielle Franco 9 December 2019 
  base: Debian GNU/Linux 10 (buster) 

[Member dr-kart]

Helpful

Up

0

::

Kernel: 4.9.200-antix.1-686-smp-pae i686 bits: 32 compiler: gcc v: 8.3.0 
 Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 Distro: antiX-19_386-base Marielle Franco 16 October 2019 

#ufw status:

Status: active

To                         Action      From
--                         ------      ----
51413                      ALLOW       Anywhere                  
51413 (v6)                 ALLOW       Anywhere (v6)

• This reply was modified 3 years, 3 months ago by dr-kart.
• This reply was modified 3 years, 3 months ago by dr-kart.

[Member VW]

Helpful

Up

0

::

So what is holding port 51413 open to the world?

On checking it is probably bit torrent. Are you downloading something?

If not, you had best start by reading this.

Idling BitTorrent Attracts Malicious Visitors

Of course, that particular report is two years old and may have been fixed.

• This reply was modified 3 years, 3 months ago by VW.

“These are the times that try men's souls" - Thomas Paine

[Member dr-kart]

Helpful

Up

0

::

That’s interesting, @VW
I just applied gufw’s transmission rules here. Never thought it might be an issue.

[Moderator christophe]

Helpful

Up

0

::

It’s working on 32-bit 4.9.200-antix.1-486-smp (antiX core frugal).
Many thanks!

confirmed antiX frugaler, since 2019

[Member mikey777]

Helpful

Up

0

::

anticapitalista wrote:

However, it may not be necessary. Instead just switch to using legacy iptables.

# update-alternatives –set iptables /usr/sbin/iptables-legacy
# update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy

Which file are these lines added to – is it the /etc/ufw/ufw.conf ?
I’ll post back to say if it removed the ufw errors and associated inability for my browser to connect online, when using kernels earlier than 4.19.

PS. I note that some forum members report that this problem is absent from their setups, with kernels earlier than 4.19, e,g, 4.9. It may be that this problem affects only certain hardware for kernel 4.9.

• This reply was modified 3 years, 3 months ago by mikey777.
• This reply was modified 3 years, 3 months ago by mikey777.
• This reply was modified 3 years, 3 months ago by mikey777.

▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.

[Member mikey777]

Helpful

Up

0

::

@anticapitalista
Apologies for my dumb comment in the last post – these two lines should be typed in the terminal, not in a file!
Sorry about that.

Good news!
Following your advice with these two lines of code, changing the iptables to a legacy version, my browser is no longer blocked when the firewall is enabled, when using either kernel 4.4 or 4.9.

Many thanks for this fix – much appreciated !

▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.

[Member PPC]

Helpful

Up

0

::

@anticapitalista
When I tried this I made some kind of copy/paste error and ended up losing all internet access! All is well now and ufw is working now.
But, to avoid future problems here’s what I did:

1- open the terminal and paste this lines (one at a time, press enter after each line):

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

2- reboot

3- open the terminal and turn on the firewall:

sudo ufw enable

Done!

anti: there are some bad antiX reviews on-line because of this firewall “bug”- is this already implemented on the current point release?

P.

• This reply was modified 3 years, 1 month ago by PPC.

[Forum Admin anticapitalista]

Helpful

Up

0

::

No, because we didn’t know the fix for the default 4.9 kernel then.
Point release 2 will have the fix among others such as less RAM usage when using rox/spacefm desktop

Philosophers have interpreted the world in many ways; the point is to change it.

antiX with runit - leaner and meaner.

[Member ModdIt]

Helpful

Up

0

::

For new users a visit to Gibson Shields UP might be educational. You can check ranges of ports.
port 51413 gives no answer to scanning on my machines. UFW OK but with newer Kernel.

[Member AntixDingo]

Helpful

Up

0

::

I want to double-check that I’m squared here. The 4.9.x kernels should use the iptables-legacy backend for firewall functionality. Netfilter’s push for nftables is not recommended at this time?

Few things as strong as a well-timed idea.

[Member AntixDingo]

Helpful

Up

0

::

Whoever is maintaining the Sid repos deserves a beer.

After using ‘update-alternatives –set’ and rebooting I see:
ERROR: Couldn’t determine iptables version

‘sudo /usr/share/ufw/check-requirements’ passes all tests. v.1.8.4 (legacy) iptables.

after the /usr/share/ufw script, lsmod |grep is a patchwork of nf_table and x_table symbols.

I like the kernel mitigation code for Spectre/Meltdown/Zombieload/Forethought as is.

Could somebody with working update-alternatives for ufw ‘lsmod |grep ip_ > file’ and post in this thread? Tracking down kernel modules and symbols there would be more possible with a working model or two. If you run 4.9.212, even better. But I’m not picky.

Few things as strong as a well-timed idea.

[Author]

Posts