Bug#993322: firehol: Firehol delays system startup
On Tue, 31 Aug 2021 11:55:02 +0200 Jerome BENOIT wrote: > >> Is you configuration waiting for any iface (see WAIT_FOR_IFACE (/etc/ default/ > > firehol)) ? > > > > Yes, it waits for my Ethernet interface: > > > > WAIT_FOR_IFACE="enp2s0" > > > > This is consistent with the log file you sent. > > If you do not really need to wait for the IFACE, try to empty the list. > > On my laptop box which is configure only for the unique Wifi IFACE, > I mange firehol with a simple ifupdown script (interfaces(1)) > so that I can empty the above list. > > Please let us know if this can fix your issue. I've removed the WAIT_FOR_IFACE statement from /etc/default/firehol, and set up a script /etc/network/if-up.d/firehol to execute a 'firehol restart' command. This has eliminated the boot process delay, and Firehol initialises correctly. Thank you. David.
Bug#993322: firehol: Firehol delays system startup
Hi David, thanks for your answers. On 31/08/2021 11:02, David Jarvie wrote: On Tue, 31 Aug 2021 08:53:55 +0200 Jerome BENOIT wrote: Did the same happen with your previous firehol package ? I didn't have this issue with Firehol on my previous system. That system was quite old - Debian 8 (Jessie). It has only happened since installing Bullseye. A big step of 3. Firehol may have gain IPv6 support and some minor changes since then. But most importantly, Firehol did stick to ipatable legacy tools. Meanwhile, systemd stuff reached Debian. What I mean is that you may want to update your configuration files as regarding FireHOL. Is you configuration waiting for any iface (see WAIT_FOR_IFACE (/etc/default/ firehol)) ? Yes, it waits for my Ethernet interface: WAIT_FOR_IFACE="enp2s0" This is consistent with the log file you sent. If you do not really need to wait for the IFACE, try to empty the list. On my laptop box which is configure only for the unique Wifi IFACE, I mange firehol with a simple ifupdown script (interfaces(1)) so that I can empty the above list. Please let us know if this can fix your issue. Best, Jerome -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#993322: firehol: Firehol delays system startup
On Tue, 31 Aug 2021 08:53:55 +0200 Jerome BENOIT wrote: > Did the same happen with your previous firehol package ? I didn't have this issue with Firehol on my previous system. That system was quite old - Debian 8 (Jessie). It has only happened since installing Bullseye. > Is you configuration waiting for any iface (see WAIT_FOR_IFACE (/etc/default/ firehol)) ? Yes, it waits for my Ethernet interface: WAIT_FOR_IFACE="enp2s0"
Bug#993322: firehol: Firehol delays system startup
Hello David, thanks for the report. We may need more to see what is happening. Did the same happen with your previous firehol package ? Is you configuration waiting for any iface (see WAIT_FOR_IFACE (/etc/default/firehol)) ? Best wishes, Jerome On 30/08/2021 21:56, David Jarvie wrote: Package: firehol Version: 3.1.7+ds-2 Severity: normal Dear Maintainer, At each system boot, Firehol takes a full minute to initialise, and makes the boot process hang for some of that time. Looking at the system log (attached), it isn't obvious why Firehol takes just over 1 minute to complete, or why nothing seems to happen between 19:49:40 and 19:50:08, during which a console message is displayed saying that the boot process is waiting for Firehol to finish. The command 'firehol restart' takes very little time to complete once the system is up and running. This indicates that something is wrong at boot time, and that Firehol is presumably waiting for something else to complete. I would have expected Firehol to initialise quickly during boot, and not to hang the boot process. I attach the journalctl output, from Firehol start to Firehol completion: -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firehol depends on: ii firehol-common 3.1.7+ds-2 ii init-system-helpers 1.60 ii lsb-base 11.1.0 Versions of packages firehol recommends: ii fireqos 3.1.7+ds-2 Versions of packages firehol suggests: ii firehol-doc3.1.7+ds-2 pn firehol-tools pn ulogd2 -- Configuration Files: /etc/default/firehol changed: START_FIREHOL=YES WAIT_FOR_IFACE="enp2s0" FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0 /etc/firehol/firehol.conf changed: version 6 stewjar=192.168.178.100 local="192.168.178.101 192.168.178.102 192.168.178.103" m2885fw=192.168.178.90 interface4 enp2s0 ethernet # The default policy is DROP. You can be more polite with REJECT. # Prefer to be polite on your own clients to prevent timeouts. policy drop # Protect from the internet. protection strong # The following means that this machine can REQUEST anything via enp2s0. client all accept # Specific services that this machine needs to request via enp2s0. client multicast accept client dhcp accept # Services that this machine offers to local network. server ping accept src "$local" server ssh accept src "$local" server cups accept src "$local" # Samsung M2885FW printer (needs both client and server) # The script 'scanner-enable' must be run after Firehol, to fix # iptables entries to allow SNMP to work properly. client snmp accept dst $m2885fw server snmp accept src $m2885fw server samba accept # The following enp2s0 server ports are not known by FireHOL: # tcp/45485 tcp/49074 tcp/7741 udp/32768 udp/32769 udp/517 udp/518 udp/5353 udp/7741 udp/972 # TODO: If you need any of them, you should define new services. # (see Adding Services at the web site - http://firehol.sf.net). interface usb0 usb policy accept -- Jerome BENOIT | calculus+at-rezozer^dot*net https://qa.debian.org/developer.php?login=calcu...@rezozer.net AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B OpenPGP_signature Description: OpenPGP digital signature
Bug#993322: firehol: Firehol delays system startup
Package: firehol Version: 3.1.7+ds-2 Severity: normal Dear Maintainer, At each system boot, Firehol takes a full minute to initialise, and makes the boot process hang for some of that time. Looking at the system log (attached), it isn't obvious why Firehol takes just over 1 minute to complete, or why nothing seems to happen between 19:49:40 and 19:50:08, during which a console message is displayed saying that the boot process is waiting for Firehol to finish. The command 'firehol restart' takes very little time to complete once the system is up and running. This indicates that something is wrong at boot time, and that Firehol is presumably waiting for something else to complete. I would have expected Firehol to initialise quickly during boot, and not to hang the boot process. I attach the journalctl output, from Firehol start to Firehol completion: -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firehol depends on: ii firehol-common 3.1.7+ds-2 ii init-system-helpers 1.60 ii lsb-base 11.1.0 Versions of packages firehol recommends: ii fireqos 3.1.7+ds-2 Versions of packages firehol suggests: ii firehol-doc3.1.7+ds-2 pn firehol-tools pn ulogd2 -- Configuration Files: /etc/default/firehol changed: START_FIREHOL=YES WAIT_FOR_IFACE="enp2s0" FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0 /etc/firehol/firehol.conf changed: version 6 stewjar=192.168.178.100 local="192.168.178.101 192.168.178.102 192.168.178.103" m2885fw=192.168.178.90 interface4 enp2s0 ethernet # The default policy is DROP. You can be more polite with REJECT. # Prefer to be polite on your own clients to prevent timeouts. policy drop # Protect from the internet. protection strong # The following means that this machine can REQUEST anything via enp2s0. client all accept # Specific services that this machine needs to request via enp2s0. client multicast accept client dhcp accept # Services that this machine offers to local network. server ping accept src "$local" server ssh accept src "$local" server cups accept src "$local" # Samsung M2885FW printer (needs both client and server) # The script 'scanner-enable' must be run after Firehol, to fix # iptables entries to allow SNMP to work properly. client snmp accept dst $m2885fw server snmp accept src $m2885fw server samba accept # The following enp2s0 server ports are not known by FireHOL: # tcp/45485 tcp/49074 tcp/7741 udp/32768 udp/32769 udp/517 udp/518 udp/5353 udp/7741 udp/972 # TODO: If you need any of them, you should define new services. # (see Adding Services at the web site - http://firehol.sf.net). interface usb0 usb policy accept Aug 30 19:49:07 desktop systemd[1]: Starting Set console font and keymap... Aug 30 19:49:07 desktop systemd[1]: Starting Firehol stateful packet filtering firewall for humans... Aug 30 19:49:07 desktop systemd[1]: Starting Tell Plymouth To Write Out Runtime Data... Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Store a System Token in an EFI Variable being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Commit a transient machine-id on disk being skipped. Aug 30 19:49:07 desktop systemd[1]: Received SIGRTMIN+20 from PID 174 (plymouthd). Aug 30 19:49:07 desktop systemd[1]: Finished Tell Plymouth To Write Out Runtime Data. Aug 30 19:49:07 desktop systemd[1]: Finished Set console font and keymap. Aug 30 19:49:07 desktop systemd[1]: Finished Flush Journal to Persistent Storage. Aug 30 19:49:07 desktop systemd[1]: Starting Create Volatile Files and Directories... Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Dispatch Password Requests to Console Directory Watch being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Set Up Additional Binary Formats being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Store a System Token in an EFI Variable being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Rebuild Hardware Database being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Commit a transient machine-id on disk being skipped. Aug 30 19:49:07 desktop systemd[1]: Condition check resulted in Platform Persistent Storage Archival being skipped. Aug 30 19:49:08 desktop systemd[1]: Finished Create Volatile Files and Directories. Aug 30
