search

arno-iptables-firewall / aif

GNU General Public License v2.0
149 stars 24 forks source link

aif 2.03 doesn't start on debian buster #85

Open uklatt opened 1 year ago

uklatt commented 1 year ago

Hello,

I want to use aif on a debian buster vm. I got the following status:

● arno-iptables-firewall.service - Arno's Iptables Firewall
   Loaded: loaded (/lib/systemd/system/arno-iptables-firewall.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2022-08-19 18:45:45 CEST; 37s ago
     Docs: man:arno-iptables-firewall(8)
           http://rocky.eld.leidenuniv.nl/
  Process: 329 ExecStart=/usr/sbin/arno-iptables-firewall start (code=exited, status=2)
 Main PID: 329 (code=exited, status=2)

Aug 19 18:45:45 sun-watch.net systemd[1]: Starting Arno's Iptables Firewall...
Aug 19 18:45:45 sun-watch.net arno-iptables-firewall[329]: Arno's Iptables Firewall Script v2.0.3
Aug 19 18:45:45 sun-watch.net arno-iptables-firewall[329]: -------------------------------------------------------------------------------
Aug 19 18:45:45 sun-watch.net arno-iptables-firewall[329]: /usr/sbin/arno-iptables-firewall: 36: /usr/share/arno-iptables-firewall/environment: Cannot fork
Aug 19 18:45:45 sun-watch.net systemd[1]: arno-iptables-firewall.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Aug 19 18:45:45 sun-watch.net systemd[1]: arno-iptables-firewall.service: Failed with result 'exit-code'.
Aug 19 18:45:45 sun-watch.net systemd[1]: Failed to start Arno's Iptables Firewall.

My config:

EXT_IF="venet0"
EXT_IF_DHCP_IP=0
OPEN_TCP="80 443 22 25 3000:3100 2000:2100"
OPEN_UDP="161"
INT_IF=""
NAT=0
INTERNAL_NET=""
NAT_INTERNAL_NET=""
OPEN_ICMP=0

What could cause this?

Uwe

abelbeck commented 1 year ago

Are you running AIF within an OpenVZ container?

Is there an unusually low process limit (be it systemwide, or a ulimit, or a cgroup limit, etc) or an unusually high number of running processes?

Does it act any differently when you manually try to start the arno-iptables-firewall.service?

uklatt commented 1 year ago

Hello abelbeck,

I don't really know. But it could be because there are a some vz.... kernel modules present. When I start it manually with arno-iptables-firewall start, it works!

How can I start it with the systemd script?

Uwe

uklatt commented 1 year ago

This problem is still not solved. Any ideas?

68420948 commented 8 months ago

From my experience arno-iptables-firewall does not work (properly) in a containerized environment.

uklatt commented 8 months ago

From my experience arno-iptables-firewall does not work (properly) in a containerized environment.

OK, thanks