Your message dated Mon, 8 Dec 2025 17:15:36 +0100
with message-id <[email protected]>
and subject line Re: Bug#1121939: firehol doesn't start after upgrade to trixie
has caused the Debian Bug report #1121939,
regarding firehol doesn't start after upgrade to trixie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121939
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: firehol
Version: 3.1.8+ds-1
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
A distribution upgrade from bookworm to trixie.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I looked at several config files but couldn't find anything wrong. I
contacted Jerome, and he suggested submitting this bug report.
* What was the outcome of this action?
Remains to be seen, this is only the first submission of a bug report. I
searched the web first but seem to be the only one with this issue.
* What outcome did you expect instead?
I hope my problem can be solved.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.18.0 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages firehol depends on:
ii firehol-common 3.1.8+ds-1
ii init-system-helpers 1.69~deb13u1
Versions of packages firehol recommends:
ii fireqos 3.1.8+ds-1
Versions of packages firehol suggests:
ii firehol-doc 3.1.8+ds-1
ii firehol-tools 3.1.8+ds-1
pn ulogd2 <none>
-- Configuration Files:
/etc/default/firehol changed:
START_FIREHOL=YES
WAIT_FOR_IFACE=""
FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT=0
/etc/firehol/firehol.conf changed:
version 6
interface4 eth0 ethernet
protection strong
policy drop
client all accept
server smtp accept src 192.168.1.1
server syslog accept src 192.168.1.1
server all reject src 192.168.1.1 dst 224.0.0.1
server all reject dst 192.168.1.255
server all reject dst 255.255.255.255
server all reject dst 224.0.0.251
server ssh accept src 192.168.1.20
server ssh accept src 192.168.1.130
server ssh accept src 192.168.1.132
server syslog accept src 192.168.1.131
server all accept src 192.168.1.150
interface4 ipsec+ ipsec
protection strong
policy drop
client all accept
server custom discard udp/9 default accept src 44.148.129.34
interface4 vti+ vti
protection strong
policy drop
client all accept
interface4 tun+ tuntap
protection strong
policy drop
client all accept
interface4 sl0 slip0
client all accept
server all accept src 44.0.0.0/8
/etc/init.d/firehol changed:
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=firehol
DESC="firewall"
SCRIPTNAME=/etc/init.d/$NAME
test -x /usr/sbin/firehol || exit 0
START_FIREHOL=NO
export START_FIREHOL
[ -r /etc/default/firehol ] && set -a && . /etc/default/firehol
. /lib/init/vars.sh
. /lib/lsb/init-functions
VERBOSE=yes
case "$START_FIREHOL" in
NO|no)
START_FIREHOL=NO
;;
AUTO|auto)
START_FIREHOL=AUTO
;;
*)
START_FIREHOL=YES
;;
esac
do_metastart () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 2 010 if firewall is delegated to a third-party
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
[ "$START_FIREHOL" = "AUTO" ] && return 2
/usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1
}
do_start () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
/usr/sbin/firehol start "$@" > /dev/null 2>&1 || return 1
}
do_metastop () {
# return
# 0 000 if firewall has been cleaned up properly
# 1 001 if firewall could not be cleaned up properly
# 2 010 if firewall is delegated to a third-party
[ "$START_FIREHOL" = "AUTO" ] && return 2
/usr/sbin/firehol stop > /dev/null 2>&1 || return 1
}
do_stop () {
# return
# 0 000 if firewall has been cleaned up properly
# 1 001 otherwise
/usr/sbin/firehol stop > /dev/null 2>&1 || return 1
}
do_condrestart () {
# return
# 0 000 if firewall has been handled
# 1 001 if firewall could not be activated
# 4 100 if FireHOL is disabled via /etc/default/firehol
[ "$START_FIREHOL" = "NO" ] && return 4
/usr/sbin/firehol condrestart "$@" > /dev/null 2>&1 || return 1
}
COMMAND="$1"
[ "$COMMAND" ] && shift
case "$COMMAND" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_metastart "$@"
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
2) [ "$VERBOSE" != no ] && { log_progress_msg
"delegated to a third-party" ; log_end_msg 0 ; } ;;
4) [ "$VERBOSE" != no ] && { log_progress_msg
"disabled, see /etc/default/firehol" ; log_end_msg 255 ; } ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_metastop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
2) [ "$VERBOSE" != no ] && { log_progress_msg
"delegated to a third-party" ; log_end_msg 0 ; } ;;
esac
;;
condrestart)
log_daemon_msg "Conditionally restarting $DESC" "$NAME"
do_condrestart "$@"
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ; exit 1 ;;
4) log_progress_msg "disabled, see
/etc/default/firehol" ; log_end_msg 255 ; ;;
esac
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
do_metastart "$@"
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;;
2) log_progress_msg "delegated to a third-party" ;
log_end_msg 0 ; ;;
4) log_progress_msg "disabled, see
/etc/default/firehol" ; log_end_msg 255 ; ;;
esac
;;
force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_start "$@"
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ; exit 1 ;;
4) log_progress_msg "disabled, see
/etc/default/firehol" ; log_end_msg 255 ; ;;
esac
;;
force-start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start "$@"
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
4) [ "$VERBOSE" != no ] && { log_progress_msg
"disabled, see /etc/default/firehol" ; log_end_msg 255 ; } ;;
esac
;;
force-stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
case "$START_FIREHOL" in
NO)
log_warning_msg "$DESC $NAME disabled via
/etc/default/firehol"
exit 0
;;
AUTO)
log_success_msg "$DESC $NAME delegated via
/etc/default/firehol"
exit 4
;;
YES)
log_success_msg "$DESC $NAME enabled via
/etc/default/firehol"
exit 4
;;
*)
log_success_msg "$DESC $NAME confused by
/etc/default/firehol"
exit 4
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME
{start|stop|condrestart|restart|force-reload|force-start|force-stop|status|helpme|wizard}
[<args>]" >&2
exit 3
;;
esac
:
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Again, thanks for your feedback,
On 08/12/2025 16:10, Edmund H. Ramm wrote:
Hi Jerome,
Jerome BENOIT <[email protected]> writes:
[..]
Firehol actually works only with the legacy method.
A support for the nf method may ask for a full recoding.
I had this discussion in mind (philwhineray comment in particular)
https://github.com/firehol/firehol/issues/352
Here other relevant posts:
https://github.com/firehol/firehol/issues/14
https://github.com/firehol/firehol/issues/48
c'est ne vrai pas. When I set up this system here in 2020, the only net-
filter programs the Debian installer installed were the non-legacy versions.
And all my kernels (All compiled by me; the standard Debian kernel is
unusable for me as it lacks many features I need.) never had
"Legacy netfilter tables" built in.
Prior to trixie Firehol worked fine and trouble free with "only"
nf-filtering enabled in the kernel and the then only present non-legacy
netfilter programs. When I, after firehol stopped working after the upgrade
to trixie, "hacked" /usr/libexec/firehol/firehol to use the non-legacy
netfilter commands, firehol worked o.k. again here!
The upgrade to trixie installed, among many other things, the "legacy"
versions of the netfilter programs and a new firehol version. And firehol
stopped working, because it now calls the netfilter-legacy programs, which
in turn need "Legacy netfiltering" enabled in the kernel.
So: Using "which netfilter" instead of "which netfilter-legacy" etc. in the
firehol install script should make firehol working without the ip_filter module
the netfilter-legacy version looks for. Provided the non-legacy netfilter
programs are installed.
Actually it appears that your issue is a old one:
https://github.com/firehol/firehol/issues/422
[...]
I will see before if ip_tables.ko can be still present in the linux-image
packages.
[...]
It is, in the Debian kernel. The Debian kernel is of no use to me. But
that's the reason I'm the first one to experience problems. Most others seem
to be satisfied with the standard Debian kernel.
Very good to know. So I am closing the bugreport.
Yours sincerely,
Eddi ._._.
--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/[email protected]
AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
