-------- Forwarded Message -------- Subject: Re: firehol doesn't start after upgrade to trixie Date: Sun, 7 Dec 2025 17:30:04 +0000 (GMT) From: Edmund H. Ramm <[email protected]> To: [email protected] Hello Jerome, Jerome BENOIT <[email protected]> writes:
[...]Can you send a diff(1) file of your changes ?/usr/libexec/firehol/firehol:> 263,266d262 > < IPTABLES_CMD=/usr/sbin/iptables > < IPTABLES_SAVE_CMD=/usr/sbin/iptables-save > < IPTABLES_RESTORE_CMD=/usr/sbin/iptables-restore > <> > I inserted the above right at the start of the "GLOBAL" section. >Very bad idea because those changes may not be backup and they may disappear at the next upgragd.
Of course. That's not supposed to be a permanent solution, only a hack to get firehol working again.
The variables are actually set in /usr/lib/firehol/install.config . They are set via a which . This choice allows to over come the programmed disapereance of the /sbin folder in favour of the /usr/sbin/folder . Whatever. Here is the concerned lines. IPTABLES_CMD="`which iptables-legacy`" IPTABLES_RESTORE_CMD="`which iptables-legacy-restore`" IPTABLES_SAVE_CMD="`which iptables-legacy-save`" The iptables-legacy[,-restore,-save] are links to xtables-legacy-multi on my bookworm box and in Sid.
Also on my system: /root # ll /usr/sbin/iptables-legacy lrwxrwxrwx 1 root root 20 Nov 20 2024 /usr/sbin/iptables-legacy -> xtables-legacy-multi
On the other hand, the iptables[,-restore,-save] are alternative (see update-alternatives(1)). The Firehol suite works only with the legacy stuff.
It is the opposite here, firehol now and only works fine using the non-legacy iptables commands! The commands containing the string "legacy" in their respective file names were installed here during the upgrade from bookworm to trixie I performed on 1. December. That's why they have a newer file date than the non-legacy iptables commands.
At this stage, I suspect some messup on your side (I know by experience it can happen very quickly). In particular your xtables-legacy-multi seems to be a link (as suggests the star attached to it in you output of " ls -alF /usr/sbin/iptables* ").
Yes, it looks like a mess wanting to be cleaned up. But I plead not guilty! I installed this system in December 2020 and never had to look at any iptables command until the recent upgrade to trixie.
Can you double check that your iptables-legacy[,-restore,-save] are the really the expected one ?
How would I know they are the expected commands? Invoking them with the command line switches in /usr/libexec/firehol/firehol I get /usr/libexec/firehol # iptables-legacy -wnxvL iptables v1.8.11 (legacy): wait seconds not numeric Try `iptables -h' or 'iptables --help' for more information. /usr/libexec/firehol # iptables-legacy -w 10 -nxvL modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.18.0 iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. I've installed the latest kernel Linux dj6ux 6.18.0 #1 SMP PREEMPT_DYNAMIC Wed Dec 3 22:45:03 GMT 2025 x86_64 GNU/Linux no ip_tables module in its sources, neither in 6.17.5, on which firehol ran flawlessly under bookworm. To me it looks as if iptables-legacy is checking for an obsolete, no longer existing module.
PS: please let keep sharing the issue on bugs.debian.org .
You are welcome to upload the relevant details to the Debian bug report site. I don't know what's relevant and what isn't. Best regards, Eddi ._._. -- Zu Leute blickten aufeinander, in der endgültigen Verwunderung flüchtig. -babelfish e-mail: dj6ux AT posteo DOT de
OpenPGP_signature.asc
Description: OpenPGP digital signature
