Control: tags -1 moreinfo unreproducible
Am 11.01.20 um 21:42 schrieb Brad Rigby:
> Source: firewalld
> Severity: normal
>
> Dear Maintainer,
>
> The debian wiki notes that debian is moving from iptables to nftables, and
> the nftables page suggests installing this package. So I did.
> Unfortunately, I did so via an ssh connection, as the computer in question is
> a headless router. As soon as aptitude quit I was booted from the system. I
> therefore needed to find a keyboard and monitor, and cables, to hook up to
> this somewhat antiquated system in order to fix the problem.
>
> Please give a warning somewhere that before installing, a person should have
> physical access to the machine. Even better would be a debconf wrapper to
> allow configuration before the default completely nukes everything.
It doesn't nuke everything.
Installing firewalld will install a firewall with a default policy.
The default policy is to allow SSH for the public zone which is what you
should get after installation.
Fwiw, installing firewalld (which version are you using btw) in buster
via SSH works fine for me without interruptions:
> root@debian:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/00.0.0.0/0ctstate
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/00.0.0.0/0
> INPUT_direct all -- 0.0.0.0/00.0.0.0/0
> INPUT_ZONES_SOURCE all -- 0.0.0.0/00.0.0.0/0
> INPUT_ZONES all -- 0.0.0.0/00.0.0.0/0
> DROP all -- 0.0.0.0/00.0.0.0/0ctstate INVALID
> REJECT all -- 0.0.0.0/00.0.0.0/0reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/00.0.0.0/0ctstate
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/00.0.0.0/0
> FORWARD_direct all -- 0.0.0.0/00.0.0.0/0
> FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/00.0.0.0/0
> FORWARD_IN_ZONES all -- 0.0.0.0/00.0.0.0/0
> FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/00.0.0.0/0
> FORWARD_OUT_ZONES all -- 0.0.0.0/00.0.0.0/0
> DROP all -- 0.0.0.0/00.0.0.0/0ctstate INVALID
> REJECT all -- 0.0.0.0/00.0.0.0/0reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUTPUT_direct all -- 0.0.0.0/00.0.0.0/0
>
> Chain INPUT_direct (1 references)
> target prot opt source destination
>
> Chain INPUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain INPUT_ZONES (1 references)
> target prot opt source destination
> IN_public all -- 0.0.0.0/00.0.0.0/0 [goto]
>
> Chain FORWARD_direct (1 references)
> target prot opt source destination
>
> Chain FORWARD_IN_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_IN_ZONES (1 references)
> target prot opt source destination
> FWDI_public all -- 0.0.0.0/00.0.0.0/0 [goto]
>
> Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> target prot opt source destination
>
> Chain FORWARD_OUT_ZONES (1 references)
> target prot opt source destination
> FWDO_public all -- 0.0.0.0/00.0.0.0/0 [goto]
>
> Chain OUTPUT_direct (1 references)
> target prot opt source destination
>
> Chain IN_public (1 references)
> target prot opt source destination
> IN_public_log all -- 0.0.0.0/00.0.0.0/0
> IN_public_deny all -- 0.0.0.0/00.0.0.0/0
> IN_public_allow all -- 0.0.0.0/00.0.0.0/0
> ACCEPT icmp -- 0.0.0.0/00.0.0.0/0
>
> Chain IN_public_log (1 references)
> target prot opt source destination
>
> Chain IN_public_deny (1 references)
> target prot opt source destination
>
> Chain IN_public_allow (1 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:22
> ctstate NEW,UNTRACKED
>
> Chain FWDI_public (1 references)
> target prot opt source destination
> FWDI_public_log all -- 0.0.0.0/00.0.0.0/0
> FWDI_public_deny all -- 0.0.0.0/00.0.0.0/0
