Virtualmin installer installs broken firewalld on systems with moolithic kernel.

Firewalld has/had a bug that means it is broken on systems with a non-modular kernel or with certain modules built-in to the kernel. This affects for example VPSs from a number of providers (including rimuhosting.com, linode.com and ovh.com among others.)

There is an upstream bug report at https://github.com/firewalld/firewalld/issues/430

This was fixed in https://github.com/firewalld/firewalld/commit/88e76ddfed6fe348975bfea900... which appears in firewalld 0.8.

Most distros current releases include a buggy version of firewalld, not yet version 0.8 or higher. This affects at least Debian 9, Debian 10 and CentOS 7. And likely current Ubuntu releases as well.

Although the actual bug belongs elsewhere (in firewalld), I would argue it is not ideal for the virtualmin GPL installer to load a firewall that doesn't work.

A symptom of the problem is that after virtualmin has been installed, fail2ban doesn't work. fail2ban does its job and calls firewalld to block problem IP addresses, but firewalld silently does nothing and the addresses are not banned.

The easiest solution to this is to just remove firewalld after a virtualmin install. (I have a workaround for the version of firewalld installed in Debian 10, but it does not work for the version installed in Debian 9). After removing firewalld, fail2ban (and webmin) work fine using iptables.

It is somewhat difficult for me to automate the removal of firewalld once the virtualmin GPL install script has run, it would be better if the script did not load it in the first place.

Thanks, Alex

Status: 
Active

Comments

Joe's picture
Submitted by Joe on Tue, 02/18/2020 - 17:50 Pro Licensee

Thanks for the heads up. I'll look into this bug and whether there's anything we can do about it (without upgrading firewalld or whatever).

In the short term, you could do a custom installation, which is probably easier/cleaner than doing what you're doing now.

e.g., you could do something like this:

Enable our repos:

# /bin/sh install.sh --setup

Install Postfix (needed for weird dependency issues)

# yum install postfix

For SCL:

# yum-config-manager --enable extras

# yum install centos-release-scl

Newer PHP:

# yum groupinstall 'Software Collections PHP 7.2 Environment'

Our package groups (could also be LEMP or Minimal stacks:

# yum groupinstall 'Virtualmin LAMP Stack' 'Virtualmin Core'

Configure the bits you want:

# virtualmin config-system --include <list of plugins>

(I don't remember why postfix is special here, as it's depended on by the stack packages, but there was some sort of dependency issue I needed to work around...maybe not needed now.)

This allows you to only setup the bits you want, and can exclude firewalld, fail2ban, etc. You can see a list of the plugins with virtualmin config-system --list-plugins. You could also make your own bundle. It's just a Perl module, and can be installed from a separate package, as long as it's a sub-module of Virtualmin::Config. See here for an example: https://github.com/virtualmin/Virtualmin-Config/blob/master/lib/Virtualm... ), and could be called with virtualmin config-system --bundle <your bundle name>

The new installer (well, not so new now, since it's been around for a few years) was to suit your use case, where you wanted something custom without having to do anything weird after installation, or make your own version of the installer.

@rimuhosting: Can you please share your Debian 10 firewalld fix? Thank you.

The "Fix" for Debian 10 is basically a workaround which creates fake module information, which seems to work for the version of firewalld in Debian 10 but not in Debian 9.

# Workaround for firewalld 2020-01-31
# From https://www.getpagespeed.com/server-setup/fix-firewalld-in-centos-7
# This is a problem with firewalld versions in  CentOS 8, CentOS 7 potentially, and Buster (e.g. if virtualmin is installed which pulls in
# Firewalld on Debian).  Should be harmless on other systems.  Modified to not run if the user is using a modular kernel under pvgrub,
# or in any other case where the kernel module dir exists already.
#
# Fix for this will likely be in firewalld 0.8

cat << EOF > /usr/local/sbin/rebuild-builtin-modules
#!/bin/bash
# script for creating builtin modules file
MODULES_DIR=/lib/modules/$(uname -r)
# Only run if the directory doesn't exist yet.
mkdir -p /lib/modules
if mkdir \${MODULES_DIR} ; then
  # touch \${MODULES_DIR}/modules.{builtin,order}
  /usr/bin/truncate --size=0 \${MODULES_DIR}/modules.builtin
  /usr/bin/truncate --size=0 \${MODULES_DIR}/modules.order
  for i in /sys/module/*; do echo kernel/\${i##**/}.ko; done >> \${MODULES_DIR}/modules.builtin
  depmod -a
fi
EOF

cat << EOF > /etc/systemd/system/rebuild-builtin-modules.service

[Unit]
Description=Rebuild built-in modules list for loaded kernel
Before=firewalld.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/rebuild-builtin-modules

[Install]
WantedBy=multi-user.target
EOF

chmod 0644 /etc/systemd/system/rebuild-builtin-modules.service
chmod 0755 /usr/local/sbin/rebuild-builtin-modules
chown root:root /etc/systemd/system/rebuild-builtin-modules.service
chown root:root /usr/local/sbin/rebuild-builtin-modules
systemctl enable rebuild-builtin-modules.service

# END Workaround for firewalld 2019-12-12