Need help on firewalld

I have adjusted my firewalld. After the last update, a pacnew file was added and I merged them. Now firewalld no longer works as desired.
Is someone able to help me to fix this?

➜  sudo systemctl status firewalld
[sudo] Passwort für swh: 
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: disabled)
     Active: active (running) since Fri 2024-07-19 14:13:22 CEST; 2min 35s ago
 Invocation: 624f52867fac45ddb43356f76603a30f
       Docs: man:firewalld(1)
   Main PID: 792 (firewalld)
      Tasks: 2 (limit: 18940)
     Memory: 61.9M (peak: 61.9M)
        CPU: 267ms
     CGroup: /system.slice/firewalld.service
             └─792 /usr/bin/python /usr/bin/firewalld --nofork --nopid

Jul 19 14:13:22 ryzen systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 19 14:13:22 ryzen systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 19 14:13:25 ryzen firewalld[792]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Datei o>
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      
                                      JSON blob:
                                      {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "in>
Jul 19 14:13:25 ryzen firewalld[792]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not proce>
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden
                                      
                                      
                                      JSON blob:
                                      {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "in>
lines 11-36/36 (END)

I don’t understand internal error. I don’t know what it means.
As soon as I check ‘activate shields’ in the applet in the systray, the entire internet access is blocked with an error message

Datei oder Verzeichnis nicht gefunden means = File or directory not found
Somehow I must have messed something up big

1 Like

Last time I merged a file some merge things were added like special characters, things like ^^^^^merge and other lines that were added during the merge. This was with my mirrorlist, after I removed those I had a working mirrorlist again. I’m guessing this could be the case for your firewall configuration file as well.

1 Like

this is my firewalld.conf

# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld.
# Default: yes
CleanupOnExit=yes

# Clean up kernel modules on exit
# If set to yes or true the firewall related kernel modules will be
# unloaded on exit or stop of firewalld. This might attempt to unload
# modules not originally loaded by firewalld.
# Default: no
CleanupModulesOnExit=no

# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no

# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
# for details.
# Default: yes
IPv6_rpfilter=yes

# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
# time that is needed to apply changes and to start the daemon, but is good for
# debugging.
# Default: no
IndividualCalls=no

# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=off

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#	- nftables (default)
#	- iptables (iptables, ip6tables, ebtables and ipset)
# Note: The iptables backend is deprecated. It will be removed in a future
# release.
FirewallBackend=nftables

# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
# configuration was retained during a reload, namely; interface to zone
# assignment, and direct rules. This was confusing to users. To get the old
# behavior set this to "no".
# Default: yes
FlushAllOnReload=yes

# ReloadPolicy
# Policy during reload. By default all traffic except for established
# connections is dropped while the rules are updated. Set to "DROP", "REJECT"
# or "ACCEPT". Alternatively, specify it per table, like
# "OUTPUT:ACCEPT,INPUT:DROP,FORWARD:REJECT".
# Default: ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP

# RFC3964_IPv4
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
# correspond to IPv4 addresses that should not be routed over the public
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes

# NftablesFlowtable
# This may improve forwarded traffic throughput by enabling nftables flowtable.
# It is a software fastpath and avoids calling nftables rule evaluation for
# data packets. This only works for TCP and UDP traffic.
# The value is a space separated list of interfaces.
# Example value "eth0 eth1".
# Defaults to "off".
NftablesFlowtable=off

# NftablesCounters
# If set to yes, add a counter to every nftables rule. This is useful for
# debugging and comes with a small performance cost.
# Defaults to "no".
NftablesCounters=no

It seems OK

This is the error when i am activate firewalld via firewalld applet in systray

COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder Verzeichnis nicht gefunden

internal:0:0-0: Error: Could not process rule: Datei oder

As soon i activate it, my standard-zone is setting to block

Here’s mine as a comparison.

# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld.
# Default: yes
CleanupOnExit=yes

# Clean up kernel modules on exit
# If set to yes or true the firewall related kernel modules will be
# unloaded on exit or stop of firewalld. This might attempt to unload
# modules not originally loaded by firewalld.
# Default: no
CleanupModulesOnExit=no

# IPv6_rpfilter
# Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704.
# Possible values:
#   - strict: Performs "strict" filtering as per RFC 3704. This check
#             verifies that the in ingress interface is the same interface
#             that would be used to send a packet reply to the source. That
#             is, ingress == egress.      
#   - loose: Performs "loose" filtering as per RFC 3704. This check only
#            verifies that there is a route back to the source through any
#            interface; even if it's not the same one on which the packet
#            arrived.
#   - strict-forward: This is almost identical to "strict", but does not perform
#                     RPF for packets targeted to the host (INPUT).
#   - loose-forward: This is almost identical to "loose", but does not perform
#                    RPF for packets targeted to the host (INPUT).
#   - no: RPF is completely disabled.
#
# The rp_filter for IPv4 is controlled using sysctl.
# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
# for details.
# Default: strict
IPv6_rpfilter=strict

# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
# time that is needed to apply changes and to start the daemon, but is good for
# debugging.
# Default: no
IndividualCalls=no

# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=off

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#	- nftables (default)
#	- iptables (iptables, ip6tables, ebtables and ipset)
# Note: The iptables backend is deprecated. It will be removed in a future
# release.
FirewallBackend=nftables

# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
# configuration was retained during a reload, namely; interface to zone
# assignment, and direct rules. This was confusing to users. To get the old
# behavior set this to "no".
# Default: yes
FlushAllOnReload=yes

# ReloadPolicy
# Policy during reload. By default all traffic except for established
# connections is dropped while the rules are updated. Set to "DROP", "REJECT"
# or "ACCEPT". Alternatively, specify it per table, like
# "OUTPUT:ACCEPT,INPUT:DROP,FORWARD:REJECT".
# Default: ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP

# RFC3964_IPv4
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
# correspond to IPv4 addresses that should not be routed over the public
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes

# NftablesFlowtable
# This may improve forwarded traffic throughput by enabling nftables flowtable.
# It is a software fastpath and avoids calling nftables rule evaluation for
# data packets. This only works for TCP and UDP traffic.
# The value is a space separated list of interfaces.
# Example value "eth0 eth1".
# Defaults to "off".
NftablesFlowtable=off

# NftablesCounters
# If set to yes, add a counter to every nftables rule. This is useful for
# debugging and comes with a small performance cost.
# Defaults to "no".
NftablesCounters=no

# NftablesTableOwner
# If set to yes, the generated nftables rule set will be owned exclusively by
# firewalld. This prevents other entities from mistakenly (or maliciously)
# modifying firewalld's rule set. If you intentionally modify firewalld's
# rules, then you will have to set this to "no".
# Defaults to "yes".
NftablesTableOwner=yes

I see some lines are different, try backing up your current firewalld.conf file and replacing it with mine to see what happens?

1 Like

When I check in the repos python-nftables doesn’t seem to exist?

1 Like

You are right. Just cecked. How to remove that?

The same behavior as mine. Except that firewalld does not set itself to block. As soon as I set ‘activate shields’, I only have a limited connection. So I have to restart my computer every time I switch it on or off

A catastrophe. Something is completely messed up

Is that package installed on your system?

1 Like

No

➜  pactree python-nftables     
error: package 'python-nftables' not found

✗  pacman -Qs python-nftables

Could it be this problem?

If so, the nftables package in Arch Linux has been fixed, and should be reaching the mirrors.

2 Likes

Thank you @r0ckhopper . It seems the same issue like mine. I have to wait until the update reached extra.

I report later if its fixed on my side

1 Like

I would be curios to know what causes the issues because I have nftables 1:1.1.0-1 and firewalld 2.2.0-1 on my system and I’m not experiencing issues with firewalld. Did I miss something in that issue?

1 Like

It seems good.
But how do i set my standardzone to public instead of block?

block

I think you have to run this.
sudo firewall-cmd --set-default-zone=public

1 Like

Thanks. I used your firewalld.conf and there is standardzone defined as public. I try the command

1 Like

I think I have misunderstood the principle. As soon as firewalld is active, it is set to public. But when I set ‘activate shields’ it automatically sets to block. I hope my english gave it as I wanted to express it

What is “activate shields”? Why do you need to set your default zone to block? Is your system directly accessible from the internet, by which I mean do you have port forwarding enabled on your isp router forwarding to ports on your pc’s ports? Public zone for home use should be just fine because only the ssh port is open by default on the public zone?

1 Like

I use ufw so wouldn’t know!

I was searching for a python-nftables Arch package (had it been renamed or dropped to the AUR), when I found the nftables package and the very recent commit.

2 Likes

In the systray is the display of the fireall applet where I can select whether I want to ‘activate shields’ or not
As soon as I activate this, firewalld automatically sets the default zone to block.

I must have misunderstood this

I don’t use the firewall-gui, I just use firewall-cmd when I do need to configure something. But setting the default zone to “block” seem unnecessary for a home computer which isn’t directly accessible from the internet. Someone will probably disagree with me but it’s up to you what you want to do.

2 Likes