(g)ufw and default 4.9 kernel

Forum Forums Official Releases antiX-19 “Marielle Franco” (g)ufw and default 4.9 kernel

  • This topic has 15 replies, 9 voices, and was last updated Feb 21-9:47 am by caprea.
Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #31474
    Forum Admin
    anticapitalistaanticapitalista

    Running with default antiX-19 series, running sudo ufw enable gives an error.
    Previously, we suggested upgrading to a 4.19 or later kernel.

    However, it may not be necessary. Instead just switch to using legacy iptables.
    To do this, in a terminal type each line separately.

    sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
    sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

    Could someone confirm this actually does do the job.

    Also, for those of you with connmann wifi issues, try the above. It *might* work to get you connected.

    • This topic was modified 4 months ago by anticapitalista. Reason: Clarified instructions

    Philosophers have interpreted the world in many ways; the point is to change it.

    antiX with runit - leaner and meaner.

    #31475
    Member
    capreacaprea

    Everythings fine here with 4.9.193-antix.1-amd64-smp

    System:
      Host: antix1 Kernel: 4.9.193-antix.1-amd64-smp x86_64 bits: 64 
      compiler: gcc v: 8.3.0 
      parameters: BOOT_IMAGE=/boot/vmlinuz-4.9.193-antix.1-amd64-smp 
      root=UUID=c3eb5f71-f8ea-46f1-9831-fbcdef1e77b6 ro vga=791 quiet 2 
      Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 
      Distro: antiX-19_x64-full Marielle Franco 16 October 2019 
      base: Debian GNU/Linux 10 (buster) 
    
    $ sudo ufw enable
    Firewall is active and enabled on system startup
    $ sudo ufw status
    Status: active

    Thanks!

    #31485
    Member
    VWVW

    Yes, but the problem used to show up again after every reboot.

    “These are the times that try men's souls" - Thomas Paine

    #31488
    Member
    capreacaprea

    Hmm, not here. antiX-19-runit_386-base for example, right after boot.

    $ sudo ufw status
    [sudo] Passwort für helga: 
    Status: active
    helga@antix1:~
    $ sudo ufw enable
    Firewall is active and enabled on system startup
    helga@antix1:~
    $ inxi -zv7
    System:
      Host: antix1 Kernel: 4.9.200-antix.1-486-smp i686 bits: 32 compiler: gcc 
      v: 8.3.0 Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 
      Distro: antiX-19-runit_386-base Marielle Franco 9 December 2019 
      base: Debian GNU/Linux 10 (buster) 
    
    #31529
    Member
    Avatardr-kart
    Kernel: 4.9.200-antix.1-686-smp-pae i686 bits: 32 compiler: gcc v: 8.3.0 
     Desktop: IceWM 1.6.3+git20191202 dm: SLiM 1.3.6 Distro: antiX-19_386-base Marielle Franco 16 October 2019 

    #ufw status:

    Status: active
    
    To                         Action      From
    --                         ------      ----
    51413                      ALLOW       Anywhere                  
    51413 (v6)                 ALLOW       Anywhere (v6)
    • This reply was modified 4 months, 3 weeks ago by dr-kart.
    • This reply was modified 4 months, 3 weeks ago by dr-kart.
    #31533
    Member
    VWVW

    So what is holding port 51413 open to the world?

    On checking it is probably bit torrent. Are you downloading something?

    If not, you had best start by reading this.

    Idling BitTorrent Attracts Malicious Visitors

    Of course, that particular report is two years old and may have been fixed.

    • This reply was modified 4 months, 3 weeks ago by VW.

    “These are the times that try men's souls" - Thomas Paine

    #31544
    Member
    Avatardr-kart

    That’s interesting, @VW
    I just applied gufw’s transmission rules here. Never thought it might be an issue.

    #31908
    Member
    christophechristophe

    It’s working on 32-bit 4.9.200-antix.1-486-smp (antiX core frugal).
    Many thanks!

    #32212
    Member
    Avatarmikey777

    However, it may not be necessary. Instead just switch to using legacy iptables.

    # update-alternatives –set iptables /usr/sbin/iptables-legacy
    # update-alternatives –set ip6tables /usr/sbin/ip6tables-legacy

    Which file are these lines added to – is it the /etc/ufw/ufw.conf ?
    I’ll post back to say if it removed the ufw errors and associated inability for my browser to connect online, when using kernels earlier than 4.19.

    PS. I note that some forum members report that this problem is absent from their setups, with kernels earlier than 4.19, e,g, 4.9. It may be that this problem affects only certain hardware for kernel 4.9.

    • This reply was modified 4 months ago by mikey777.
    • This reply was modified 4 months ago by mikey777.
    • This reply was modified 4 months ago by mikey777.
    #32219
    Member
    Avatarmikey777

    @anticapitalista
    Apologies for my dumb comment in the last post – these two lines should be typed in the terminal, not in a file!
    Sorry about that.

    Good news!
    Following your advice with these two lines of code, changing the iptables to a legacy version, my browser is no longer blocked when the firewall is enabled, when using either kernel 4.4 or 4.9.

    Many thanks for this fix – much appreciated !

    #32222
    Member
    AvatarPPC

    @anticapitalista
    When I tried this I made some kind of copy/paste error and ended up losing all internet access! All is well now and ufw is working now.
    But, to avoid future problems here’s what I did:

    1- open the terminal and paste this lines (one at a time, press enter after each line):

    sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
    sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

    2- reboot

    3- open the terminal and turn on the firewall:

    sudo ufw enable

    Done!

    anti: there are some bad antiX reviews on-line because of this firewall “bug”- is this already implemented on the current point release?

    P.

    • This reply was modified 1 month, 3 weeks ago by PPC.
    #32223
    Forum Admin
    anticapitalistaanticapitalista

    No, because we didn’t know the fix for the default 4.9 kernel then.
    Point release 2 will have the fix among others such as less RAM usage when using rox/spacefm desktop

    Philosophers have interpreted the world in many ways; the point is to change it.

    antiX with runit - leaner and meaner.

    #32240
    Member
    AvatarModdIt

    For new users a visit to Gibson Shields UP might be educational. You can check ranges of ports.
    port 51413 gives no answer to scanning on my machines. UFW OK but with newer Kernel.

    #32937
    Member
    AntixDingoAntixDingo

    I want to double-check that I’m squared here. The 4.9.x kernels should use the iptables-legacy backend for firewall functionality. Netfilter’s push for nftables is not recommended at this time?

    Few things as strong as a well-timed idea.

    #32938
    Member
    AntixDingoAntixDingo

    Whoever is maintaining the Sid repos deserves a beer.

    After using ‘update-alternatives –set’ and rebooting I see:
    ERROR: Couldn’t determine iptables version

    ‘sudo /usr/share/ufw/check-requirements’ passes all tests. v.1.8.4 (legacy) iptables.

    after the /usr/share/ufw script, lsmod |grep is a patchwork of nf_table and x_table symbols.

    I like the kernel mitigation code for Spectre/Meltdown/Zombieload/Forethought as is.

    Could somebody with working update-alternatives for ufw ‘lsmod |grep ip_ > file’ and post in this thread? Tracking down kernel modules and symbols there would be more possible with a working model or two. If you run 4.9.212, even better. But I’m not picky.

    Few things as strong as a well-timed idea.

Viewing 15 posts - 1 through 15 (of 16 total)
  • You must be logged in to reply to this topic.