Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.60]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 95131780790 for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 19:37:11 +0000 (UTC) X-No-IP: flyn.org@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from www.flyn.org (unknown [137.26.240.243]) (Authenticated sender: flyn.org@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPA id 4MG3jy1Nx5z7sTR for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 19:37:10 +0000 (UTC) Received: by www.flyn.org (Postfix, from userid 1001) id 577D11EE00A7; Sun, 28 Aug 2022 14:37:09 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=flyn.org; s=mail; t=1661715429; bh=VMWfSM5pyzSQppnqEWnJ53MfbUnuZiYQ/pmQ0r00yGw=; h=Date:From:To:Subject; b=hlpr2sp3YLQ/++pHss9RLuRNYO1ctUyiYXYEtCcU5Ul8UsTDmglc4C+HsaEphoSil pdI5krzpo2/Vkv41zMEq2U/7uDkIqPkoyHuLsNQv78Iw/ERa0F+Ut+aGLRXESZlgFM tIuR7wo7N3BPaHBRvtr7kYj7+KNV4/hoeANGuKSE/9Us3SK2+FM/gMJfyM2UKgelYl Z/7r6PaYIAkZpsnicE6epgERpIK8TSfKdXdsUWCYczY4rgRgVCOVdh7aBofx6IpC3H fnU9HftMxEx018aGFloK0Kr4EjrWE411bfzfMYFtp/oJxTwxx91E65daCu/bR1ZB+0 9yheeCle7O3Vt/t8MG9yWlzJzobrFx95gX8vooMfKDtDIeFQxb95AK3dk1YFKKSPAr 8jKNWpyt5F6wmbKuKWQ03//VOvZoMpbdDNOHuElS81wacWWW8a0jbBB3GqjYyO+i8S ymyt4+5TurnnfuiC+o3fdrPvTcJvpbQPcYYcJsbbHVCM6KCyWQd Received: from imp.flyn.org (guardian.flyn.org [137.26.240.242]) by www.flyn.org (Postfix) with ESMTPSA id 3C1A21EE0040 for <~alpine/devel@lists.alpinelinux.org>; Sun, 28 Aug 2022 14:37:09 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=flyn.org; s=mail; t=1661715429; bh=VMWfSM5pyzSQppnqEWnJ53MfbUnuZiYQ/pmQ0r00yGw=; h=Date:From:To:Subject; b=hlpr2sp3YLQ/++pHss9RLuRNYO1ctUyiYXYEtCcU5Ul8UsTDmglc4C+HsaEphoSil pdI5krzpo2/Vkv41zMEq2U/7uDkIqPkoyHuLsNQv78Iw/ERa0F+Ut+aGLRXESZlgFM tIuR7wo7N3BPaHBRvtr7kYj7+KNV4/hoeANGuKSE/9Us3SK2+FM/gMJfyM2UKgelYl Z/7r6PaYIAkZpsnicE6epgERpIK8TSfKdXdsUWCYczY4rgRgVCOVdh7aBofx6IpC3H fnU9HftMxEx018aGFloK0Kr4EjrWE411bfzfMYFtp/oJxTwxx91E65daCu/bR1ZB+0 9yheeCle7O3Vt/t8MG9yWlzJzobrFx95gX8vooMfKDtDIeFQxb95AK3dk1YFKKSPAr 8jKNWpyt5F6wmbKuKWQ03//VOvZoMpbdDNOHuElS81wacWWW8a0jbBB3GqjYyO+i8S ymyt4+5TurnnfuiC+o3fdrPvTcJvpbQPcYYcJsbbHVCM6KCyWQd Received: by imp.flyn.org (Postfix, from userid 1101) id E574A639491; Sun, 28 Aug 2022 14:37:03 -0500 (CDT) Date: Sun, 28 Aug 2022 14:37:03 -0500 From: "W. Michael Petullo" To: ~alpine/devel@lists.alpinelinux.org Subject: Strange behavior in "awall activate -f" Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.5 X-Virus-Scanned: clamav-milter 0.104.2 at herald.flyn.org X-Virus-Status: Clean I find that "awall activate -f" fails on a fresh install unless I run "awall activate" at least once in interactive mode first. The failure message is: host:~# (Deploy firewall rules ...) host:~# awall activate -f Warning: firewall not enabled for inet6 Warning: firewall not enabled for inet awall: Firewall not enabled in kernel It turns out this is because the ip_tables and ip6_tables kernel modules are not loaded. It seems "awall activate" will load the required modules. Indeed, the first "awall activate" is quite chatty about doing this and a number of other things: Warning: firewall not enabled for inet6 Warning: firewall not enabled for inet Firewall is not active Press RETURN to perform initial configuration and activation: * rc-update: ip6tables already installed in runlevel `default'; skipping * Caching service dependencies ... [ ok ] * Loading ip6tables state and starting firewall ... [ ok ] * Enabling forwarding ... [ ok ] * rc-update: iptables already installed in runlevel `default'; skipping * Caching service dependencies ... [ ok ] * Loading iptables state and starting firewall ... [ ok ] * Enabling forwarding ... [ ok ] If I do start a new system, load ip_tables and ip6_tables, and run "awall activate -f", then awall runs without error. However, I do not see evidence of the other configuration going on, as with the output from "awall activate" above. My questions: Should "awall activate -f" be changed to load the kernel modules, as interactive mode does? Is there a reason for the inconsistency? Does running "awall activate -f" after manually loading the modules perform all the steps to activate the firewall for the first time? Put another way, does "awall activate -f" do everything "awall activate" does, albeit in a much less verbose mode? Having a fully-automated install motivates my questions. -- Mike :wq