Page 5 of 5

Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 5:35 pm
by rockedge

@Overdrive5 All fixes welcome!

You can present it right here on this topic.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 5:58 pm
by Overdrive5

The issue is the way the current script is set, it renders the firewall disabled if you make any changes and then click "Apply".

What I discovered is the current script changes /etc/init.d/rc.firewall permissions to 644 so it can not be started.

I traced it down to this revision: https://github.com/dimkr/woof-CE/commit ... a9f2cba242

Here is the original code starting on line 1435:

Code: Select all

if [ -f "$TMPFW" ];then
	[ $state = 1 -a "$1" != "enable" ] && /etc/init.d/rc.firewall stop && sleep 1
	echo "copying firewall"
	cp -af "$TMPFW" /etc/init.d/rc.firewall
	[ "$MAIN" = "false" ] && chmod 644 /etc/init.d/rc.firewall || chmod 755 /etc/init.d/rc.firewall # https://github.com/dimkr/woof-CE/commit/80f2b4489295179847cb4fb270f463a9f2cba242
	rm -f "$TMPFW"
else
	echo "Something went wrong"
	exit
fi

[ "$1" = "enable" -o "$MAIN" = "false" ] && exit

I believe the revisions intent was to not enable the firewall if the user pressed "Cancel" when no firewall was already present/working.

Here is what I propose as a more effective solution:

Code: Select all

if [ -f "$TMPFW" ];then
	[ $state = 1 -a "$1" != "enable" ] && /etc/init.d/rc.firewall stop && sleep 1
	echo "copying firewall"
	cp -af "$TMPFW" /etc/init.d/rc.firewall
	chmod 755 /etc/init.d/rc.firewall
	rm -f "$TMPFW"
else
	echo "Something went wrong"
	exit
fi

["$MAIN" = "false" ] && exit

My testing shows when "Cancel" is pressed, the original firewall state is preserved and when "Apply" is pressed the new settings are applied and the firewall is restarted.

If you wish, I can make a formal PR on github.

Hope this helps!


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:15 pm
by rockedge

Yes please make the pull request!


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:21 pm
by dimkr

@Overdrive5 This commit is in my woof-CE fork and wasn't merged into upstream woof-CE. It was an attempt to fix https://github.com/puppylinux-woof-CE/w ... ssues/2883, but it wasn't merged because it doesn't work.

The right file to patch is https://github.com/puppylinux-woof-CE/w ... irewall_ng, and it doesn't have that chmod 644.

EDIT: I see the woof-CE commit used to build F96-CE_1 is https://github.com/puppylinux-woof-CE/w ... ab947a7b03, which doesn't have this change either (again, because it was never merged). Maybe @radky applied that change manually? Now I wonder if F96-CE has more changes like this, which were not merged for a reason.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:35 pm
by Overdrive5
dimkr wrote: Sat Feb 25, 2023 6:21 pm

@Overdrive5 This commit is in my woof-CE fork and wasn't merged into upstream woof-CE. It was an attempt to fix https://github.com/puppylinux-woof-CE/w ... ssues/2883, but it wasn't merged because it doesn't work.

The right file to patch is https://github.com/puppylinux-woof-CE/w ... irewall_ng, and it doesn't have that chmod 644.

Ahh!! OK!

I just went full circle on that. And was coming back here to get guidance with which repository to work on.
Thanks for the input!
OK Will do. I'll have it up shortly.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:38 pm
by dimkr

Apply your changes in a fork of https://github.com/puppylinux-woof-CE/woof-CE, and submit a pull request to https://github.com/puppylinux-woof-CE/woof-CE, but not dimkr/woof-CE. That's where I do my development and test possibly dangerous/experimental things.

If unsure how to do this and how to test the changes, see these two:

https://github.com/puppylinux-woof-CE/w ... ibutor-101
https://github.com/puppylinux-woof-CE/w ... -on-GitHub


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:39 pm
by Overdrive5

OK, Got it.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Feb 25, 2023 6:47 pm
by Overdrive5

OK, PR posted. This only the 3rd PR I have ever done and I still am not sure I am doing it right. Let me know either way if I need to change anything with it.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sun Feb 26, 2023 8:46 am
by greengeek

Trialling F96 version from the new webpage link.
Very nice. Will give this a good test.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Mon Feb 27, 2023 6:39 am
by dimkr

I need help testing https://github.com/puppylinux-woof-CE/woof-CE/pull/3954, which should fix multiple issues with firewall_ng (inability to stop the firewall, inability to re-apply the settings, and disabled firewall that returns after reboot).

To apply this change to a running Puppy:

curl https://raw.githubusercontent.com/dimkr/woof-CE/bugfix/firewall-disable/woof-code/rootfs-packages/firewall_ng/usr/sbin/firewall_ng > /usr/sbin/firewall_ng


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 2:58 am
by radky
dimkr wrote: Mon Feb 27, 2023 6:39 am

I need help testing https://github.com/puppylinux-woof-CE/woof-CE/pull/3954, which should fix multiple issues with firewall_ng (inability to stop the firewall, inability to re-apply the settings, and disabled firewall that returns after reboot).

To apply this change to a running Puppy:

curl https://raw.githubusercontent.com/dimkr/woof-CE/bugfix/firewall-disable/woof-code/rootfs-packages/firewall_ng/usr/sbin/firewall_ng > /usr/sbin/firewall_ng

@dimkr

Testing https://github.com/puppylinux-woof-CE/woof-CE/pull/3954, I see the following:

Stopped the firewall (red icon) -> saved changes to drive -> rebooted -> firewall automatically on again (green icon), confirmed by iptables -L -n

Repeated the above -> same result -> firewall OFF status did not survive rebooting (automatically restarted after rebooting)

Maybe other forum members will also test to confirm.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 5:56 am
by Overdrive5
dimkr wrote: Mon Feb 27, 2023 6:39 am

I need help testing https://github.com/puppylinux-woof-CE/woof-CE/pull/3954, which should fix multiple issues with firewall_ng (inability to stop the firewall, inability to re-apply the settings, and disabled firewall that returns after reboot).

To apply this change to a running Puppy:

curl https://raw.githubusercontent.com/dimkr/woof-CE/bugfix/firewall-disable/woof-code/rootfs-packages/firewall_ng/usr/sbin/firewall_ng > /usr/sbin/firewall_ng

Hi, I tried this new version after backing up the other version we hashed out on github and Accept/Cancel and Disable functions all now seem to work correctly.

However I lost my connectivity to my NAS.

/etc/init.d/rc.firewall now has a different Samba Client string:
New String:

Code: Select all

# allow netbios name resolution for Samba client
$IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 137 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT || $IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 137 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 138 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT || $IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 138 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 139 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT || $IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 139 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 445 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT || $IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 445 -m state --state NEW,ESTABLISHED -j ACCEPT

Old String:

Code: Select all

# allow netbios name resolution for Samba client
$IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 137 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A udp_inbound -p UDP -s 1.1.1.1/24 --source-port 138 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 139 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 1.1.1.1/24 --source-port 445 -m state --state NEW,ESTABLISHED -j ACCEPT

Not sure what else has changed though. When I use the backed up version, samba client connectivity is restored.

Any ideas?


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 9:04 am
by dimkr

@Overdrive5 This change was requested by @radky because some kernel was built with CONFIG_NETFILTER_XT_MATCH_STATE=n. This changes makes the firewall try ctstate and fall back to state if unsupported. AFAIK the two should be perfectly equivalent.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 12:34 pm
by MochiMoppel

@rockedge
Is ImageMagick properly installed?
I assumed so as there are quite a lot of related files

Code: Select all

/usr/share/ImageMagick-6
/usr/share/bug/imagemagick-6-common
/usr/share/bug/libmagick++-6.q16-8
/usr/share/bug/libmagickcore-6.q16-6
/usr/share/bug/libmagickwand-6.q16-6
/usr/share/doc/imagemagick-6-common
/usr/share/doc/libmagick++-6.q16-8
/usr/share/doc/libmagickcore-6.q16-6
/usr/share/doc/libmagickwand-6.q16-6
/usr/share/cups/ppdc/imagemagick.defs
/usr/lib/x86_64-linux-gnu/ImageMagick-6.9.10
/usr/lib/x86_64-linux-gnu/ImageMagick-6.9.10/modules-Q16/coders/magick.la
/usr/lib/x86_64-linux-gnu/ImageMagick-6.9.10/modules-Q16/coders/magick.so
/usr/lib/x86_64-linux-gnu/libMagick++-6.Q16.so.8
/usr/lib/x86_64-linux-gnu/libMagick++-6.Q16.so.8.0.0
/usr/lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
/usr/lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6.0.0
/usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
/usr/lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6.0.0

What I can't find are the program files, e.g. convert


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 1:17 pm
by rockedge
MochiMoppel wrote:

What I can't find are the program files, e.g. convert

We'll take a look at the ImageMagick installation and if at this time only parts that are dependencies of other packages are installed or if it's a faulty setup, it will be addressed.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 1:42 pm
by dimkr
Overdrive5 wrote: Tue Feb 28, 2023 5:56 am

Any ideas?

What does /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start say when you run it in the terminal?


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 7:54 pm
by Overdrive5
dimkr wrote: Tue Feb 28, 2023 1:42 pm
Overdrive5 wrote: Tue Feb 28, 2023 5:56 am

Any ideas?

What does /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start say when you run it in the terminal?

Here ya go..

Code: Select all

# /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Firewall completely flushed!  Now running with no firewall.
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Create and populate custom rule chains ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Process INPUT chain ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Process FORWARD chain ...
Process OUTPUT chain ...
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Load rules for nat table ...
Load rules for mangle table ...
# 

I can get rid of a lot of the ipv6 errors if I modprobe ipv6. Still not sure if I need ipv6 at the moment though.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 7:58 pm
by Overdrive5

Here is the same thing with ipv6 loaded:

Code: Select all

# modprobe ipv6
# /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Firewall completely flushed!  Now running with no firewall.
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Load rules for mangle table ...
# 

Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 8:19 pm
by radky
Overdrive5 wrote: Tue Feb 28, 2023 7:54 pm

I can get rid of a lot of the ipv6 errors if I modprobe ipv6. Still not sure if I need ipv6 at the moment though.

Overdrive5

In the upcoming F96-CE_2, the 6.0.12 kernel is updated to support ipv6 (no errors for ip6tables)


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 10:29 pm
by Overdrive5
radky wrote: Tue Feb 28, 2023 8:19 pm
Overdrive5 wrote: Tue Feb 28, 2023 7:54 pm

I can get rid of a lot of the ipv6 errors if I modprobe ipv6. Still not sure if I need ipv6 at the moment though.

Overdrive5

In the upcoming F96-CE_2, the 6.0.12 kernel is updated to support ipv6 (no errors for ip6tables)

OK, Understood.

Still trying to figure out if I need ipv6 for the house.

Well.. maybe sometime in the future.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 10:39 pm
by Overdrive5
dimkr wrote: Tue Feb 28, 2023 1:42 pm
Overdrive5 wrote: Tue Feb 28, 2023 5:56 am

Any ideas?

What does /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start say when you run it in the terminal?

Standby, I ran this test with the version that we hashed out the *does* connect to samba. I'll rerun it with the new version in a sec.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Tue Feb 28, 2023 10:42 pm
by Overdrive5

Code: Select all

# /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Firewall completely flushed!  Now running with no firewall.
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Load rules for mangle table ...
# 

This is with ipv6 still loaded.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Wed Mar 01, 2023 7:24 am
by dimkr

The kernel needs to be rebuilt with CONFIG_IP6_NF_NAT=y to silence these errors. IPv6 support is important, because most devices (and OSs) these days support IPv6 and it's enabled by default. If you have a working firewall that only supports IPv4, you're exposed to threats from other devices that speak IPv6.

(Until https://github.com/puppylinux-woof-CE/woof-CE/pull/2892 (every Puppy built a year+ ago), Puppy's firewall had no IPv6 support, leaving computers fully exposed to other computers in the LAN if the attacker uses IPv6 and not IPv4.)


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Wed Mar 01, 2023 3:22 pm
by radky
dimkr wrote: Wed Mar 01, 2023 7:24 am

The kernel needs to be rebuilt with CONFIG_IP6_NF_NAT=y to silence these errors. ...

This config is included in the updated kernel 6.0.12 of the upcoming F96-CE_2.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Thu Mar 02, 2023 2:39 pm
by radky
MochiMoppel wrote: Tue Feb 28, 2023 12:34 pm

@rockedge
Is ImageMagick properly installed?
...
What I can't find are the program files, e.g. convert

@MochiMoppel

F96-CE does not have a full install of ImageMagick, only a few imagemagick libs which are dependencies of Inkscape.

Thanks for the question.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Fri Mar 03, 2023 6:15 am
by Geek3579
radky wrote: Thu Mar 02, 2023 2:39 pm
MochiMoppel wrote: Tue Feb 28, 2023 12:34 pm

@rockedge
Is ImageMagick properly installed?
...
What I can't find are the program files, e.g. convert

@MochiMoppel

F96-CE does not have a full install of ImageMagick, only a few imagemagick libs which are dependencies of Inkscape.

Thanks for the question.

I have not tried IM in FP-96, but in Fossapup64-95 I have had to add graphicsmagick-imagemagick-compat from the Package Manager.

While this runs MOST commands, it will not run Fred's IM scripts, which are brilliant, BTW ! For such scripts I use dpupbuster64 OS.

If I want to stay using Fossapup64-95 I run a base version of debdogbullseye in a VM such as QEMU. A bit of a work around, but the debiandog is quite lite and runs almost as fast as a the host OS in processing IM commands. All files transferred to and from the VM using pureftpd (host) and gftp (VM).


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Fri Mar 03, 2023 10:45 am
by Overdrive5
dimkr wrote: Tue Feb 28, 2023 1:42 pm
Overdrive5 wrote: Tue Feb 28, 2023 5:56 am

Any ideas?

What does /etc/init.d/rc.firewall stop;/etc/init.d/rc.firewall start say when you run it in the terminal?

New Problem,

Tried setting up cups for my wifi printer and it refused to print until I reverted back to the original firewall_ng (with or with out my original mods).

Had cups and samba client active on all three versions.

Update: Just observed CE_2 is out. I'll give that a shot.


Re: F96-CE_1 with 6.0.12-FP Kernel Stable Release

Posted: Sat Mar 11, 2023 6:54 pm
by CatPup

Overall it's an awesome improvement on FossaPup 9.5, which felt somewhat clunky to use.

Two things to improve for later versions:

- Nvidia drivers install in Quickpet should be brought back, as I found it very messy to install the drivers provided by Nvidia, where it required some modprobe tampering in the Xorg setup to replace the Nouveau driver.

- Some of the "portable" web browsers linked in Quickpet are just not working out of the box. Bringing back the Quickpet-based installs could help, even if I understand it seems hard to update to the more recent versions of these browsers.