After a reboot I like to run couple of commands just to find out if everything is fine. One of those commands is:
journalctl -b -l -x --no-pager -p 3
Most of the time everything is fine but sometimes…
[root@server andrzejl]# journalctl -b -l -x –no-pager -p 3
— Logs begin at Sat 2015-01-17 18:31:30 CET, end at Mon 2015-02-02 00:09:14 CET. —
Feb 01 23:51:42 server.loc kernel: microcode: no support for this CPU vendor
Feb 01 23:51:42 server.loc kernel: mce: Unable to init device /dev/mcelog (rc: -5)
Feb 01 23:51:44 server.loc kernel: longhaul: Option “enable” not set. Aborting.
Feb 01 23:51:51 server.loc logger[286]: ERROR:Shorewall start failed:Firewall state not changed
Feb 01 23:51:51 server.loc systemd[1]: Failed to start Shorewall IPv4 firewall.
— Subject: Unit shorewall.service has failed
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
—
— Unit shorewall.service has failed.
—
— The result is failed.
The first few messages are fine. Its not a intel or amd cpu so microcode wont work and its not gonna enable the longhaul option. However the firewall not starting… Well thats something to be concerned about.
Why didn’t it start…?
systemctl status -l shorewall
● shorewall.service – Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since nie 2015-02-01 23:51:51 CET; 11min ago
Process: 178 ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=143)
Main PID: 178 (code=exited, status=143)lut 01 23:51:51 server.loc shorewall[178]: Starting Shorewall….
lut 01 23:51:51 server.loc shorewall[178]: ERROR: Can’t determine the IP address of enp0s9: Firewall state not changed
lut 01 23:51:51 server.loc logger[286]: ERROR:Shorewall start failed:Firewall state not changed
lut 01 23:51:51 server.loc shorewall[178]: /usr/share/shorewall/lib.common: linia 113: 259 Zakończony $SHOREWALL_SHELL $script $options $@
lut 01 23:51:51 server.loc systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a
lut 01 23:51:51 server.loc systemd[1]: Failed to start Shorewall IPv4 firewall.
lut 01 23:51:52 server.loc systemd[1]: Unit shorewall.service entered failed state.
lut 01 23:51:52 server.loc systemd[1]: shorewall.service failed.
It didn’t start because it started to fast and the network was not connected at this point.
How to delay it?
Edit this file:
/usr/lib/systemd/system/shorewall.service
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
#
[Unit]
Description=Shorewall IPv4 firewall
After=network-online.target
Conflicts=iptables.service firewalld.service[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall
StandardOutput=syslog
ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/usr/bin/shorewall $OPTIONS stop[Install]
WantedBy=basic.target
So it looks like this:
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
#
[Unit]
Description=Shorewall IPv4 firewall
After=network-online.target local-fs.target network.target
Conflicts=iptables.service firewalld.service[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall
StandardOutput=syslog
ExecStart=/usr/bin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/usr/bin/shorewall $OPTIONS stop[Install]
WantedBy=basic.target
See the difference?
After=network-online.target
after=network-online.target local-fs.target network.target
Then run:
systemctl daemon-reload
systemctl restart shorewall
After the next reboot all should be fine.
This needs to be repeated after each shorewall upgrade.
Cheers.
Andrzej
