use http://mdcc.cx/pub/uruk/uruk-20180528.tar.xz.asc in debian/watch


this issue might have been (partly) fixed in 20160219-2 :
see also zebraika log.pod


on systems with "a lot" of ip adresses/network interfaces, after boot systemd
feels uruk is borken.  observed at e.g. system 'poncelet', running Debian
jessie w/ uruk 20160219-1.

Nov 13 12:19:42 poncelet systemd[1]: Starting Uruk firewall service...
Nov 13 12:19:42 poncelet systemd[1]: Started Uruk firewall service.
Nov 13 12:19:42 poncelet systemd[1]: Stopping Uruk firewall service...

Nov 13 12:19:42 poncelet systemd[1]: Started Uruk firewall service.
Nov 13 12:19:42 poncelet systemd[1]: Stopping Uruk firewall service...
Nov 13 12:19:42 poncelet systemd[1]: Starting Uruk firewall service...

etc etc

/etc/network/if-up.d/uruk calls "invoke-rc.d uruk force-reload" calls "systemctl restart uruk"

we observe

service uruk status
groen
repeat 20; do sleep 0.001; systemctl restart uruk; done
rood
systemctl restart uruk
service uruk status
groen


when dhcp assigns a different ip to a networkinterface, ifupdown is _not_ noticed.
The uruk ifupdown hook claims to deal with dynamic networking, but therefore fails.

Cranking up limits in /lib/systemd/system/uruk.service wont really help; it
will break on system which have even more nics.

do we want this:

# systemctl -p CanReload show uruk
CanReload=no

?

the best solution very likely is: get rid of /etc/network/if-up.d/uruk .  however, this
needs a _lot_ of testing. e.g. on poncelet we've observed systemd feels uruk is "ok" after
boot, and no iptables rules have been loaded...


test op okutank, en lever m weer netjes terug.


root@okutank:~# grep -i uruk /var/log/syslog | grep systemd
Dec  4 14:33:06 okutank systemd[1]: Stopped Uruk firewall service.
Dec  4 14:33:23 okutank systemd[1]: Starting Uruk firewall service...
Dec  4 14:33:23 okutank systemd[1]: Started Uruk firewall service.
Dec  4 14:33:23 okutank systemd[1]: Stopped Uruk firewall service.
Dec  4 14:33:23 okutank systemd[1]: Stopping Uruk firewall service...
Dec  4 14:33:23 okutank systemd[1]: Starting Uruk firewall service...
Dec  4 14:33:23 okutank systemd[1]: Started Uruk firewall service.
Dec  4 14:33:25 okutank systemd[1]: Stopped Uruk firewall service.
Dec  4 14:33:25 okutank systemd[1]: Stopping Uruk firewall service...
Dec  4 14:33:25 okutank systemd[1]: Starting Uruk firewall service...
Dec  4 14:33:25 okutank systemd[1]: Started Uruk firewall service.
Dec  4 14:33:25 okutank systemd[1]: Stopped Uruk firewall service.
Dec  4 14:33:25 okutank systemd[1]: Stopping Uruk firewall service...
Dec  4 14:33:25 okutank systemd[1]: Starting Uruk firewall service...
Dec  4 14:33:25 okutank systemd[1]: Started Uruk firewall service.

root@okutank:~# service uruk status
groen

root@okutank:~# iptables -L -n -v | wc -l
81

root@okutank:/etc/network/if-up.d# mv uruk ~/

root@okutank:~# reboot


root@okutank:~# iptables -L -n -v | wc -l
8

stuk dus nu

root@okutank:~# service uruk status
   Active: inactive (dead)

root@okutank:~# service uruk restart

root@okutank:~# service uruk status
   Active: active (exited) since Mon 2017-12-04 14:36:20 CET; 2s ago
groen

root@okutank:~# mv uruk /etc/network/if-up.d/

tijdens boot zonder if-up.d ding:

Dec  4 14:35:33 okutank systemd-timesyncd[474]: Synchronized to time server 137.56.247.195:123 (ntp1.uvt.nl).


Dec  4 14:35:34 okutank systemd[1]: Started Raise network interfaces.
Dec  4 14:35:34 okutank systemd[1]: Reached target Network.

Dec  4 14:35:34 okutank systemd[1]: Starting OpenBSD Secure Shell server...

Dec  4 14:35:34 okutank systemd[1]: Reached target Network is Online.

Dec  4 14:35:34 okutank systemd[1]: Starting /etc/rc.local Compatibility...

Dec  4 14:35:35 okutank systemd[1]: Started The Apache HTTP Server.


Dec  4 14:35:35 okutank systemd[1]: Started Postfix Mail Transport Agent (instance -).
Dec  4 14:35:35 okutank systemd[1]: Starting Postfix Mail Transport Agent...
Dec  4 14:35:35 okutank systemd[1]: Started Postfix Mail Transport Agent.

Dec  4 14:35:35 okutank systemd[1]: Startup finished in 1.329s (kernel) + 2.940s (userspace) = 4.270s.

Dec  4 14:36:19 okutank systemd[1]: Starting Uruk firewall service...

Dec  4 14:36:20 okutank urukctl[1780]: Saving IPv6 uruk rules as active ruleset.
Dec  4 14:36:20 okutank kernel: [   50.115249] ip6_tables: (C) 2000-2006 Netfilter Core Team

Dec  4 14:36:20 okutank systemd[1]: Started Uruk firewall service.
Dec  4 14:36:20 okutank systemd[1]: Reached target Network (Pre).



we no longer try to support handling dynamic IPs out of the box.
early in the boot process, uruk assumes all to be assigned IPs are known.
we load the final uruk ruleset early in boot.

if-up.d: use urukctl, not invoke-rc.d, to work around bug^wfeature^wbug in systemd


root@okutank:~# ls -l /var/lib/uruk/*
/var/lib/uruk/ip6tables:
total 16
-rw-r--r-- 1 root root 8101 Dec  4 14:36 active
-rw-r--r-- 1 root root    0 Dec  4 14:36 autosave
-rw-r--r-- 1 root root 7798 Feb 22  2016 inactive

/var/lib/uruk/iptables:
total 16
-rw-r--r-- 1 root root 7404 Dec  4 14:36 active
-rw-r--r-- 1 root root    0 Dec  4 14:36 autosave
-rw-r--r-- 1 root root 6289 Feb 22  2016 inactive

root@okutank:~# mv /etc/network/if-up.d/uruk ~/
root@okutank:~# reboot

root@okutank:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


root@okutank:~# service uruk status
● uruk.service - Uruk firewall service
   Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled)
   Active: inactive (dead)

systemctl status uruk

root@okutank:~# systemctl show uruk | wc -l
175

GuessMainPID=yes
MainPID=0

LoadState=loaded
ActiveState=inactive
SubState=dead

CanReload=no

StartLimitBurst=5
StartLimitAction=none


пон 04 15:39 < joostvb> systemctl status foo
пон 04 15:39 < joostvb> zegt
пон 04 15:39 < joostvb> Active: inactive (dead)
пон 04 15:39 < joostvb> hoe kom je dr achter waarom systemd dat zo gedaan heeft?
пон 04 15:39 < joostvb> systemctl show foo
пон 04 15:39 < joostvb> dat helpt niet

root@okutank:~# urukctl start

root@okutank:~# service uruk status
● uruk.service - Uruk firewall service
   Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled)
   Active: inactive (dead)

root@okutank:~# iptables -L -n -v | wc -l
81

root@okutank:~# service uruk start
root@okutank:~# service uruk status
groen
   Active: active (exited) since Mon 2017-12-04 15:42:39 CET; 2s ago


root@okutank:~# mv /etc/network/if-up.d/uruk ~/
root@okutank:~# reboot

root@okutank:~# service uruk status
● uruk.service - Uruk firewall service
   Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled)
   Active: inactive (dead)

root@okutank:~# systemctl status --all

● okutank
    State: running
     Jobs: 0 queued
   Failed: 0 units

● apt-daily.service - Daily apt download activities
   Loaded: loaded (/lib/systemd/system/apt-daily.service; static; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:apt(8)

● apt-daily.timer - Daily apt download activities
   Loaded: loaded (/lib/systemd/system/apt-daily.timer; enabled; vendor preset: enabled)
   Active: active (waiting) since Mon 2017-12-04 15:52:54 CET; 1min 24s ago



root@okutank:/sbin# cp -a urukctl,bak urukctl
root@okutank:/sbin# vi urukctl


Dec  6 15:25:27 okutank urukctl[511]: running urukctl...


root@okutank:~# mv /etc/network/if-up.d/uruk ~/
root@okutank:~# reboot

Dec  6 15:27:47 okutank systemd[1]: Stopping Service for virtual machines hosted on VMware...
Dec  6 15:27:59 okutank systemd-modules-load[291]: Module 'ipv6' is builtin


root@okutank:~# grep urukctl /lib/systemd/system/uruk.service
ExecStart=/sbin/urukctl start


root@okutank:~# grep running /sbin/urukctl | tail -1
echo "running urukctl..." 1>&2

"masked" oid?

nope:


root@okutank:~# systemctl list-unit-files | grep -C2 uruk
umountroot.service                     masked
urandom.service                        static
uruk.service                           static
user@.service                          static
vgauth.service                         enabled

uruk moet bij een target horen

hij moet niet "static" maar "enabled" zijn, wellicht

dit schijnt wel te werken



сре 06 15:38 <%Fruit> [Install]
сре 06 15:38 <%Fruit> WantedBy=network-pre.target
is w/s goed


[Unit]
сре 06 15:39 < joostvb> Wants=network-pre.target
сре 06 15:39 < joostvb> Before=network-pre.target shutdown.target
is fout

we willen dat network.pre depend op uruk


misschien werkt dit of zo:

[Unit]
Description=Uruk firewall service
DefaultDependencies=no

[Install]
WantedBy=network-pre.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/urukctl start



root@okutank:/lib/systemd/system# cp -a uruk.service ~/
root@okutank:/lib/systemd/system# vi uruk.service

nu:

root@okutank:~# systemctl list-unit-files | grep -C2 uruk

uruk.service                           disabled

root@okutank:~# systemctl enable uruk
Synchronizing state of uruk.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable uruk


uruk.service                           enabled

restore alles weer:

root@okutank:/sbin# mv urukctl,bak urukctl
root@okutank:~# mv uruk /etc/network/if-up.d/uruk
root@okutank:~# mv uruk.service /lib/systemd/system/









 * debian/{postinst,postrm}: ship a symlink to /dev/null as
   /lib/systemd/system/uruk.service since the uruk init script is not
   applicable in systemd: we use ifupdown.  Fixes "uruk: Has init script in
   runlevel S but no matching service file".  Thanks fsateler@d.o.
   Closes: #796700

nb: #796700 has been closed

 # systemd #796700 - uruk: Has init script in runlevel S but no matching service file
 # "[...] the script is simply not applicable in systemd, in which case the package
 # should ship a symlink to /dev/null as /lib/systemd/system/<initscript>.service."
 # https://wiki.debian.org/Teams/pkg-systemd/rcSMigration
 if ! test -L /lib/systemd/system/uruk.service
 then
     ln -s /dev/null /lib/systemd/system/uruk.service
 fi

https://wiki.debian.org/Teams/pkg-systemd/rcSMigration :

Your service is needed to configure firewalls or network interfaces

If you need to configure firewalls, network interfaces, or anything else which
needs to happen before bringing up the first network interface, then you should
order the service as follows (eg, if you need to run before ifupdown/networkd):

 [Unit]
 Description=An early boot service
 DefaultDependencies=no
 Wants=network-pre.target
 Before=network-pre.target shutdown.target
 Conflicts=shutdown.target


Lots of other ideas: drop default rule: "check if incoming traffic is targetted
at current IP": make it possible to have sane uruk rules _without_ knowing
current IP.   before any interface is up: drop all traffic, via init script or

---

Check out http://wiki.debian.org/FirewallByDefault and
http://wiki.debian.org/Firewalls .

Check out https://wiki.ubuntu.com/UbuntuFirewall

https://wiki.ubuntu.com/UncomplicatedFirewall aka "ufw"

Supply a script to consume /etc/ufw/applications.d/ , e.g.:

joostvb@incagijs:~% cat /etc/ufw/applications.d/openssh-server
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp


We might want to check /var/lib/uruk/iptables stuff on
purge/removal/reinstallation.  (Currently, it's kept on purge.)

Recheck http://women.alioth.debian.org/wiki/index.php/English/MaintainerScripts
.

Use doc-base for registering documentation, replace our md5sums generating
stuff with something like:
.
 while read f; do \
  exclude="$$exclude ! -path \".$$f\" "; \
 done < debian/conffiles; \
  cd debian/$(package); \
  find . -type f $$exclude ! -regex '.*/DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums;
.
This honors conffiles.  Or just call dh_md5sums...  (And we might choose to go
use debhelper for all the rest, or cdbs, while we're at it.)

