Re: [Server-devel] [XSCE] Re: iptables issue on fedora 21

2015-03-30 Thread Tim Moody 
I think so, but I'd rather have Jerry's opinion.

 

From: xsce-de...@googlegroups.com [mailto:xsce-de...@googlegroups.com] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 2:20 PM
To: xsce-devel
Cc: server-devel
Subject: Re: [XSCE] Re: iptables issue on fedora 21

 

So it should be fixed then, right?

 

On Mon, Mar 30, 2015 at 11:39 PM, Tim Moody mailto:t...@timmoody.com> > wrote:

sounds right to me.  Here's mine (some commits before the current master)

 

[root@xsce-devel ~]# cat  /usr/lib/systemd/system/iptables.service

[Unit]

Description=IPv4 firewall with iptables

After=syslog.target

ConditionPathExists=/etc/sysconfig/iptables

 

[Service]

Type=oneshot

RemainAfterExit=yes

ExecStart=/usr/libexec/iptables/iptables.init start

ExecStop=/usr/libexec/iptables/iptables.init stop

Environment=BOOTUP=serial

Environment=CONSOLETYPE=serial

StandardOutput=syslog

StandardError=syslog

 

[Install]

WantedBy=basic.target 

 

From: xsce-de...@googlegroups.com   
[mailto:xsce-de...@googlegroups.com  ] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 2:03 PM
To: xsce-devel
Cc: server-devel
Subject: Re: [XSCE] Re: iptables issue on fedora 21

 

Okay, I just had a chat about this first on #fedora-server and then on #systemd 

They think in iptables.service it should be Before=network.targer instead of 
After.. changing that works for me (although would need wiser minds to comment 
on its correctness).

anyway .. IRC log attached below..

 Hi, I am facing an issue with systemd/iptables on a fedora 21 
setup... asked on #fedora without much luck, so asking here... 
 so, iptables is enabled but doesnt start .. relevant journal log --> 
http://fpaste.org/204855/42773649/
 the network is setup such that eth is the WAN and hostapd is running 
on the wifi functioning as the LAN
 firewall is disabled 
 who the heck came up with that? iptables does not depend on network.
 http://fpaste.org/204842/35817142/
 is the actual iptables^^
 va, ah! so removing that should fix it then!?
 (i didn't edit it myself, but this is a f21 setup, on which ansible 
does some tweaks etc.)
 is that iptables.init script a regular Fedora thing?
 if anything, iptables ought to have a 
Before=network{.service,target,whateveR}
 grawity, one moment, i can check that (i have a 'regular' f21 machine 
with me as well)
 hmm i don't have iptables installed on my regular machine (wtf) 
 va, ok
 grawity, i'll install iptables in a clean vm to see what is happening
 okay, so hostapd is After=network.target .. i'd wan't iptables to 
come into play after that I guess
 va, this is the iptables.service file --> 
http://fpaste.org/204870/73779914/ you reckon i should s/After/Before there?
 (also see the last comment abt hostapd)
 LIke I said. Before=network
 you want to have the rules loaded BEFORE all evil can get through your 
network doors
 va, will give it a try .. fwiw, this is probably not standard f21 .. 
but someone's error 
https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service
 it's always _someone's_ error
 :)
 va, okay, it worked I think! (will test more thoroughly for other 
stuff)
 thx!

 

On Mon, Mar 30, 2015 at 11:28 PM, Tim Moody mailto:t...@timmoody.com> > wrote:

looks like a cross dependency between the systemd unit files:

 

iptables depends on network and network depends on iptables.

 

Waiting for Jerry to weigh in.

 

From: xsce-de...@googlegroups.com   
[mailto:xsce-de...@googlegroups.com  ] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 1:34 PM
To: xsce-devel; server-devel
Subject: [XSCE] Re: iptables issue on fedora 21

 

Some more messages from the journal from around that time suggest some kind of 
loop

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.target/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by 
deleting job iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start 
deleted to break ordering cycle starting with network.service/start

 

 

On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal mailto:anis...@umich.edu> > wrote:

Hi,

So I have an XSCE setup on a NUC originally in appliance mode, and now I am 
using hostapd for the wifi network to function as lan. After I setup hostapd 
(config file and enabling the service) I ran ./runansible again, and everything 
seems to work except iptables, which goes dead. Relevant messages below

[root@schoolserver anish]# journalctl -xb|grep iptables
Mar 30 22:34:

Re: [Server-devel] [XSCE] Re: iptables issue on fedora 21

2015-03-30 Thread Tim Moody 
sounds right to me.  Here's mine (some commits before the current master)

 

[root@xsce-devel ~]# cat  /usr/lib/systemd/system/iptables.service

[Unit]

Description=IPv4 firewall with iptables

After=syslog.target

ConditionPathExists=/etc/sysconfig/iptables

 

[Service]

Type=oneshot

RemainAfterExit=yes

ExecStart=/usr/libexec/iptables/iptables.init start

ExecStop=/usr/libexec/iptables/iptables.init stop

Environment=BOOTUP=serial

Environment=CONSOLETYPE=serial

StandardOutput=syslog

StandardError=syslog

 

[Install]

WantedBy=basic.target 

 

From: xsce-de...@googlegroups.com [mailto:xsce-de...@googlegroups.com] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 2:03 PM
To: xsce-devel
Cc: server-devel
Subject: Re: [XSCE] Re: iptables issue on fedora 21

 

Okay, I just had a chat about this first on #fedora-server and then on #systemd 

They think in iptables.service it should be Before=network.targer instead of 
After.. changing that works for me (although would need wiser minds to comment 
on its correctness).

anyway .. IRC log attached below..

 Hi, I am facing an issue with systemd/iptables on a fedora 21 
setup... asked on #fedora without much luck, so asking here... 
 so, iptables is enabled but doesnt start .. relevant journal log --> 
http://fpaste.org/204855/42773649/
 the network is setup such that eth is the WAN and hostapd is running 
on the wifi functioning as the LAN
 firewall is disabled 
 who the heck came up with that? iptables does not depend on network.
 http://fpaste.org/204842/35817142/
 is the actual iptables^^
 va, ah! so removing that should fix it then!?
 (i didn't edit it myself, but this is a f21 setup, on which ansible 
does some tweaks etc.)
 is that iptables.init script a regular Fedora thing?
 if anything, iptables ought to have a 
Before=network{.service,target,whateveR}
 grawity, one moment, i can check that (i have a 'regular' f21 machine 
with me as well)
 hmm i don't have iptables installed on my regular machine (wtf) 
 va, ok
 grawity, i'll install iptables in a clean vm to see what is happening
 okay, so hostapd is After=network.target .. i'd wan't iptables to 
come into play after that I guess
 va, this is the iptables.service file --> 
http://fpaste.org/204870/73779914/ you reckon i should s/After/Before there?
 (also see the last comment abt hostapd)
 LIke I said. Before=network
 you want to have the rules loaded BEFORE all evil can get through your 
network doors
 va, will give it a try .. fwiw, this is probably not standard f21 .. 
but someone's error 
https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service
 it's always _someone's_ error
 :)
 va, okay, it worked I think! (will test more thoroughly for other 
stuff)
 thx!



 

On Mon, Mar 30, 2015 at 11:28 PM, Tim Moody mailto:t...@timmoody.com> > wrote:

looks like a cross dependency between the systemd unit files:

 

iptables depends on network and network depends on iptables.

 

Waiting for Jerry to weigh in.

 

From: xsce-de...@googlegroups.com   
[mailto:xsce-de...@googlegroups.com  ] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 1:34 PM
To: xsce-devel; server-devel
Subject: [XSCE] Re: iptables issue on fedora 21

 

Some more messages from the journal from around that time suggest some kind of 
loop

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.target/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by 
deleting job iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start 
deleted to break ordering cycle starting with network.service/start

 

 

On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal mailto:anis...@umich.edu> > wrote:

Hi,

So I have an XSCE setup on a NUC originally in appliance mode, and now I am 
using hostapd for the wifi network to function as lan. After I setup hostapd 
(config file and enabling the service) I ran ./runansible again, and everything 
seems to work except iptables, which goes dead. Relevant messages below

[root@schoolserver anish]# journalctl -xb|grep iptables
Mar 30 22:34:22 schoolserver.lan systemd[1]: Found dependency on 
iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Breaking ordering cycle by 
deleting job iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Job iptables.service/start deleted 
to break ordering cycle starting with network.service/start
Mar 30 22:34:21 schoolserver.lan systemd[1]: Configuration file 
/etc/systemd/system/iptables.service is marked executable. Please remove 
execu

Re: [Server-devel] [XSCE] Re: iptables issue on fedora 21

2015-03-30 Thread Tim Moody 
looks like a cross dependency between the systemd unit files:

 

iptables depends on network and network depends on iptables.

 

Waiting for Jerry to weigh in.

 

From: xsce-de...@googlegroups.com [mailto:xsce-de...@googlegroups.com] On 
Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 1:34 PM
To: xsce-devel; server-devel
Subject: [XSCE] Re: iptables issue on fedora 21

 

Some more messages from the journal from around that time suggest some kind of 
loop

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.target/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on 
network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by 
deleting job iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start 
deleted to break ordering cycle starting with network.service/start

 

 

On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal mailto:anis...@umich.edu> > wrote:

Hi,

So I have an XSCE setup on a NUC originally in appliance mode, and now I am 
using hostapd for the wifi network to function as lan. After I setup hostapd 
(config file and enabling the service) I ran ./runansible again, and everything 
seems to work except iptables, which goes dead. Relevant messages below

[root@schoolserver anish]# journalctl -xb|grep iptables
Mar 30 22:34:22 schoolserver.lan systemd[1]: Found dependency on 
iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Breaking ordering cycle by 
deleting job iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Job iptables.service/start deleted 
to break ordering cycle starting with network.service/start
Mar 30 22:34:21 schoolserver.lan systemd[1]: Configuration file 
/etc/systemd/system/iptables.service is marked executable. Please remove 
executable permission bits. Proceeding anyway.

[root@schoolserver anish]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/etc/systemd/system/iptables.service; enabled)
   Active: inactive (dead)


/etc/xsce/xsce.ini --> http://fpaste.org/204840/

If I start iptables manually, it works, but not automatically.

Any pointers would be helpful. 

Best,

Anish





___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel