# [UNSOLVABLE] arno-iptables-firewall errors out

## NP_complete

I am setting up firewall on a single-user machine.  Most conservative settings.  No externally visible daemons like sshd.  arno-iptables-firewall gives the following output (see below).  It's asking for some elusive modules called xt_limit|ipt_limit,ip6t_limit and xt_multiport|ipt_multiport,ip6t_multiport, WHICH I CANNOT FIND.  Somebody please clue me in where they might be in menuconfig.  arno-firewall eventually bombs but leaves a few rules scattered around (see below),

The output from ip6tables -L -n ends with "POST_INPUT_DROP_CHAIN all ::/0 ::/0 state INVALID"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

$ uname -r

3.16.5-gentoo

$ journalctl

arno-iptables-firewall[2641]: Arno's Iptables Firewall Script v2.0.1e

arno-iptables-firewall[2641]: -------------------------------------------------------------------------------

arno-iptables-firewall[2641]: Platform: Linux 3.16.5-gentoo x86_64

arno-iptables-firewall[2641]: Stopping (user) plugins...

arno-iptables-firewall[2641]: Checking/probing Iptables modules:

arno-iptables-firewall[2641]: Loaded kernel module ip_tables.

arno-iptables-firewall[2641]: Loaded kernel module ip6_tables.

arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack.

arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack_ipv6.

arno-iptables-firewall[2641]: Loaded kernel module nf_conntrack_ftp.

arno-iptables-firewall[2641]: Loaded kernel module xt_conntrack.

arno-iptables-firewall[2641]: WARNING: Modules "xt_limit|ipt_limit,ip6t_limit" failed to load. Assuming compiled-in-kernel.

arno-iptables-firewall[2641]: Loaded kernel module xt_state.

arno-iptables-firewall[2641]: WARNING: Modules "xt_multiport|ipt_multiport,ip6t_multiport" failed to load. Assuming compiled-in-kernel.

arno-iptables-firewall[2641]: Loaded kernel module iptable_filter.

arno-iptables-firewall[2641]: Loaded kernel module ip6table_filter.

arno-iptables-firewall[2641]: Loaded kernel module iptable_mangle.

arno-iptables-firewall[2641]: Loaded kernel module ip6table_mangle.

arno-iptables-firewall[2641]: Loaded kernel module ipt_REJECT.

arno-iptables-firewall[2641]: Loaded kernel module ip6t_REJECT.

arno-iptables-firewall[2641]: Loaded kernel module xt_LOG.

arno-iptables-firewall[2641]: Loaded kernel module xt_TCPMSS.

arno-iptables-firewall[2641]: Loaded kernel module iptable_nat.

arno-iptables-firewall[2641]: Module check done...

arno-iptables-firewall[2641]: Configuring general kernel parameters:

arno-iptables-firewall[2641]: Setting the max. amount of simultaneous connections to 16384

arno-iptables-firewall[2641]: net.nf_conntrack_max = 16384

arno-iptables-firewall[2641]: net.netfilter.nf_conntrack_udp_timeout = 60

arno-iptables-firewall[2641]: net.netfilter.nf_conntrack_acct = 1

arno-iptables-firewall[2641]: Configuring kernel parameters:

arno-iptables-firewall[2641]: Disabling send redirects

arno-iptables-firewall[2641]: net.ipv4.conf.all.send_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.default.send_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.send_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.lo.send_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.send_redirects = 0

arno-iptables-firewall[2641]: Enabling protection against source routed packets

arno-iptables-firewall[2641]: net.ipv4.conf.all.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv4.conf.default.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv4.conf.lo.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_source_route = 0

arno-iptables-firewall[2641]: net.ipv4.icmp_echo_ignore_broadcasts = 1

arno-iptables-firewall[2641]: net.ipv4.icmp_ignore_bogus_error_responses = 1

arno-iptables-firewall[2641]: Enabling packet forwarding

arno-iptables-firewall[2641]: net.ipv4.conf.all.forwarding = 1

arno-iptables-firewall[2641]: net.ipv4.conf.default.forwarding = 1

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.forwarding = 1

arno-iptables-firewall[2641]: net.ipv4.conf.lo.forwarding = 1

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.forwarding = 1

arno-iptables-firewall[2641]: net.ipv6.conf.all.forwarding = 1

arno-iptables-firewall[2641]: net.ipv6.conf.default.forwarding = 1

arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.forwarding = 1

arno-iptables-firewall[2641]: net.ipv6.conf.lo.forwarding = 1

arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.forwarding = 1

arno-iptables-firewall[2641]: Disabling Local IPv6 Auto-Configuration

arno-iptables-firewall[2641]: net.ipv6.conf.all.autoconf = 0

arno-iptables-firewall[2641]: net.ipv6.conf.default.autoconf = 0

arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.autoconf = 0

arno-iptables-firewall[2641]: net.ipv6.conf.lo.autoconf = 0

arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.autoconf = 0

arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_ra = 0

arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_ra = 0

arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_ra = 0

arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_ra = 0

arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_ra = 0

arno-iptables-firewall[2641]: Setting some kernel performance options

arno-iptables-firewall[2641]: net.ipv4.tcp_window_scaling = 1

arno-iptables-firewall[2641]: net.ipv4.tcp_timestamps = 1

arno-iptables-firewall[2641]: net.ipv4.tcp_sack = 1

arno-iptables-firewall[2641]: net.ipv4.tcp_dsack = 1

arno-iptables-firewall[2641]: net.ipv4.tcp_fack = 1

arno-iptables-firewall[2641]: net.ipv4.tcp_low_latency = 0

arno-iptables-firewall[2641]: Enabling reduction of the DoS'ing ability

arno-iptables-firewall[2641]: net.ipv4.tcp_fin_timeout = 30

arno-iptables-firewall[2641]: net.ipv4.tcp_keepalive_time = 1800

arno-iptables-firewall[2641]: net.ipv4.tcp_syn_retries = 3

arno-iptables-firewall[2641]: net.ipv4.tcp_synack_retries = 2

arno-iptables-firewall[2641]: net.ipv4.tcp_rfc1337 = 1

arno-iptables-firewall[2641]: net.ipv4.ip_local_port_range = 32768 61000

arno-iptables-firewall[2641]: Enabling SYN-flood protection via SYN-cookies

arno-iptables-firewall[2641]: net.ipv4.tcp_syncookies = 1

arno-iptables-firewall[2641]: Enabling anti-spoof with rp_filter

arno-iptables-firewall[2641]: net.ipv4.conf.all.rp_filter = 1

arno-iptables-firewall[2641]: net.ipv4.conf.default.rp_filter = 1

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.rp_filter = 1

arno-iptables-firewall[2641]: net.ipv4.conf.lo.rp_filter = 1

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.rp_filter = 1

arno-iptables-firewall[2641]: net.ipv4.icmp_echo_ignore_all = 0

arno-iptables-firewall[2641]: Disabling the logging of martians

arno-iptables-firewall[2641]: net.ipv4.conf.all.log_martians = 0

arno-iptables-firewall[2641]: net.ipv4.conf.default.log_martians = 0

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.log_martians = 0

arno-iptables-firewall[2641]: net.ipv4.conf.lo.log_martians = 0

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.log_martians = 0

arno-iptables-firewall[2641]: Disabling the acception of ICMP-redirect messages

arno-iptables-firewall[2641]: net.ipv4.conf.all.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.default.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.enp4s0f2.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.lo.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv4.conf.wlp3s0.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv6.conf.all.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv6.conf.default.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv6.conf.enp4s0f2.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv6.conf.lo.accept_redirects = 0

arno-iptables-firewall[2641]: net.ipv6.conf.wlp3s0.accept_redirects = 0

arno-iptables-firewall[2641]: Disabling ECN (Explicit Congestion Notification)

arno-iptables-firewall[2641]: net.ipv4.tcp_ecn = 0

arno-iptables-firewall[2641]: Enabling kernel support for dynamic IPs

arno-iptables-firewall[2641]: net.ipv4.ip_dynaddr = 1

arno-iptables-firewall[2641]: Enabling PMTU discovery

arno-iptables-firewall[2641]: net.ipv4.ip_no_pmtu_disc = 0

arno-iptables-firewall[2641]: Setting default TTL=64

arno-iptables-firewall[2641]: net.ipv4.ip_default_ttl = 64

arno-iptables-firewall[2641]: Flushing route table

arno-iptables-firewall[2641]: net.ipv4.route.flush = 1

arno-iptables-firewall[2641]: net.ipv6.route.flush = 1

arno-iptables-firewall[2641]: Kernel setup done...

arno-iptables-firewall[2641]: Reinitializing firewall chains

arno-iptables-firewall[2641]: Setting all default policies to DROP while "setting up firewall rules"

arno-iptables-firewall[2641]: IPv4/IPv6 mixed mode selected

arno-iptables-firewall[2641]: /sbin/iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Blocked host(s):

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Blocked host(s):

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Dropped Link-Local:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Using loglevel "info" for syslogd

arno-iptables-firewall[2641]: Setting up firewall rules:

arno-iptables-firewall[2641]: -------------------------------------------------------------------------------

arno-iptables-firewall[2641]: Enabling setting the maximum packet size via MSS

arno-iptables-firewall[2641]: Logging of stealth scans (nmap probes etc.) enabled

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-PSH scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-PSH scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-ALL scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth XMAS-ALL scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth FIN scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth FIN scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/RST scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/RST scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/FIN scan?:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth SYN/FIN scan?:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth Null scan:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth Null scan:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of packets with bad TCP-flags enabled

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-option 64 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(64):

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-option 64 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(64):

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -p tcp --tcp-option 128 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(128):

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A VALID_CHK -p tcp --tcp-option 128 -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Bad TCP flag(128):

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of INVALID TCP packets disabled

arno-iptables-firewall[2641]: Logging of INVALID UDP packets disabled

arno-iptables-firewall[2641]: Logging of INVALID ICMP packets disabled

arno-iptables-firewall[2641]: Logging of fragmented packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix AIF:Fragment packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of access from reserved nets disabled

arno-iptables-firewall[2641]: Reading custom rules from /etc/arno-iptables-firewall/custom-rules

arno-iptables-firewall[2641]: Checking for (user) plugins in /usr/libexec/arno-iptables-firewall/plugins...

arno-iptables-firewall[2641]: Loaded 0 plugin(s)...

arno-iptables-firewall[2641]: /sbin/iptables -A OUTPUT -f -m limit --limit 3/m -j LOG --log-level info --log-prefix AIF:Fragment packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Setting up external(INET) INPUT policy

arno-iptables-firewall[2641]: Logging of ICMP flooding enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-unreachable flood:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type destination-unreachable -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-unreachable flood:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-time-exceeded fld:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type time-exceeded -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-time-exceeded fld:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-param-problem fld:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type parameter-problem -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-param-problem fld:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request(ping) fld:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request(ping) fld:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-reply(pong) flood:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type echo-reply -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-reply(pong) flood:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-source-quench fld:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-packet-too-big fld:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP(other) flood:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP(other) flood:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport 0 -m limit --limit 6/h --limit-burst 1 -j LOG --log-level info --log-prefix AIF:Port 0 OS fingerprint:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:TCP source port 0:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:TCP source port 0:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:UDP source port 0:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --sport 0 -m limit --limit 6/h --limit-burst 5 -j LOG --log-level info --log-prefix AIF:UDP source port 0:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Enabling support for DHCP-assigned-IP (DHCP client)

arno-iptables-firewall[2641]: Logging of explicitly blocked hosts enabled

arno-iptables-firewall[2641]: Logging of denied local output connections enabled

arno-iptables-firewall[2641]: Packets will NOT be checked for reserved source addresses

arno-iptables-firewall[2641]: Denying ANYHOST to send IPv4 ICMP-requests (ping)

arno-iptables-firewall[2641]: Allowing ANYHOST to send IPv6 ICMPv6-requests

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of possible stealth scans enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (UNPRIV):

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (UNPRIV):

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (PRIV):

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Stealth scan? (PRIV):

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of (other) packets to PRIVILEGED TCP ports enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP multicast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP multicast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP broadcast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV TCP broadcast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of (other) packets to PRIVILEGED UDP ports enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP multicast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP multicast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP broadcast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:PRIV UDP broadcast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of (other) packets to UNPRIVILEGED TCP ports enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP multicast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP multicast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP broadcast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV TCP broadcast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of (other) packets to UNPRIVILEGED UDP ports enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p udp --dport 1024: -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP multicast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP multicast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP broadcast:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 -m limit --limit 6/m --limit-burst 2 -j LOG --log-level info --log-prefix AIF:UNPRIV UDP broadcast:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of IGMP packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p 2 -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:IGMP packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of dropped ICMP-request(ping) packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-request:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-request:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 3/m --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-request:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of dropped other ICMP packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -p icmp ! --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-other:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -p icmpv6 ! --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-other:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_MULTICAST_CHAIN -p icmp ! --icmp-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-other:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_MULTICAST_CHAIN -p icmpv6 ! --icmpv6-type echo-request -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level info --log-prefix AIF:ICMP-multicast-other:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A EXT_INPUT_CHAIN -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Other connect:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A EXT_INPUT_CHAIN -m limit --limit 1/m --limit-burst 5 -j LOG --log-level info --log-prefix AIF:Other connect:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Setting up external(INET) OUTPUT policy

arno-iptables-firewall[2641]: Applying external(INET) policy to interface: enp4s0f2 (without an external subnet specified)

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -i enp4s0f2 -p icmp -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i enp4s0f2 -p icmpv6 -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Applying external(INET) policy to interface: wlp3s0 (without an external subnet specified)

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -i wlp3s0 -p icmp -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -i wlp3s0 -p icmpv6 -m state --state NEW -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/iptables -A INPUT -m limit --limit 1/s -j LOG --log-level info --log-prefix AIF:Dropped INPUT packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A INPUT -m limit --limit 1/s -j LOG --log-level info --log-prefix AIF:Dropped INPUT packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Security is ENFORCED for external interface(s) in the FORWARD chain

arno-iptables-firewall[2641]: Logging of dropped FORWARD packets enabled

arno-iptables-firewall[2641]: /sbin/iptables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level info --log-prefix AIF:Dropped FORWARD packet:

arno-iptables-firewall[2641]: ERROR (1): iptables: No chain/target/match by that name.

arno-iptables-firewall[2641]: /sbin/ip6tables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level info --log-prefix AIF:Dropped FORWARD packet:

arno-iptables-firewall[2641]: ERROR (1): ip6tables: No chain/target/match by that name.

arno-iptables-firewall[2641]: Nov 01 20:17:23 WARNING: Not all firewall rules are applied.

systemd[1]: arno-iptables-firewall.service: main process exited, code=exited, status=1/FAILURE

systemd[1]: Unit arno-iptables-firewall.service entered failed state.

$ ip6tables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination         

BASE_INPUT_CHAIN  all      ::/0                 ::/0                

INPUT_CHAIN  all      ::/0                 ::/0                

HOST_BLOCK_SRC  all      ::/0                 ::/0                

SPOOF_CHK  all      ::/0                 ::/0                

VALID_CHK  all      ::/0                 ::/0                

EXT_INPUT_CHAIN !icmpv6    ::/0                 ::/0                 state NEW

EXT_ICMP_FLOOD_CHAIN  icmpv6    ::/0                 ::/0                 state NEW

VALID_CHK  all      ::/0                 ::/0                

EXT_INPUT_CHAIN !icmpv6    ::/0                 ::/0                 state NEW

EXT_ICMP_FLOOD_CHAIN  icmpv6    ::/0                 ::/0                 state NEW

POST_INPUT_CHAIN  all      ::/0                 ::/0                

DROP       all      ::/0                 ::/0                

Chain FORWARD (policy DROP)

target     prot opt source               destination         

BASE_FORWARD_CHAIN  all      ::/0                 ::/0                

TCPMSS     tcp      ::/0                 ::/0                 tcp flags:0x06/0x02 TCPMSS clamp to PMTU

TCPMSS     tcp      ::/0                 ::/0                 tcp flags:0x06/0x02 TCPMSS clamp to PMTU

FORWARD_CHAIN  all      ::/0                 ::/0                

HOST_BLOCK_SRC  all      ::/0                 ::/0                

HOST_BLOCK_DST  all      ::/0                 ::/0                

LINK_LOCAL_DROP  all      fe80::/10            ::/0                

LINK_LOCAL_DROP  all      ::/0                 fe80::/10           

EXT_FORWARD_IN_CHAIN  all      ::/0                 ::/0                

EXT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0                

EXT_FORWARD_IN_CHAIN  all      ::/0                 ::/0                

EXT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0                

SPOOF_CHK  all      ::/0                 ::/0                

POST_FORWARD_CHAIN  all      ::/0                 ::/0                

DROP       all      ::/0                 ::/0                

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

BASE_OUTPUT_CHAIN  all      ::/0                 ::/0                

TCPMSS     tcp      ::/0                 ::/0                 tcp flags:0x06/0x02 TCPMSS clamp to PMTU

TCPMSS     tcp      ::/0                 ::/0                 tcp flags:0x06/0x02 TCPMSS clamp to PMTU

OUTPUT_CHAIN  all      ::/0                 ::/0                

HOST_BLOCK_DST  all      ::/0                 ::/0                

EXT_OUTPUT_CHAIN  all      ::/0                 ::/0                

EXT_OUTPUT_CHAIN  all      ::/0                 ::/0                

POST_OUTPUT_CHAIN  all      ::/0                 ::/0                

ACCEPT     all      ::/0                 ::/0                

Chain BASE_FORWARD_CHAIN (1 references)

target     prot opt source               destination         

ACCEPT     all      ::/0                 ::/0                 state ESTABLISHED

ACCEPT     tcp      ::/0                 ::/0                 state RELATED tcp dpts:1024:65535

ACCEPT     udp      ::/0                 ::/0                 state RELATED udp dpts:1024:65535

ACCEPT     icmpv6    ::/0                 ::/0                 state RELATED

ACCEPT     all      ::/0                 ::/0                

Chain BASE_INPUT_CHAIN (1 references)

target     prot opt source               destination         

ACCEPT     all      ::/0                 ::/0                 state ESTABLISHED

ACCEPT     tcp      ::/0                 ::/0                 state RELATED tcp dpts:1024:65535

ACCEPT     udp      ::/0                 ::/0                 state RELATED udp dpts:1024:65535

ACCEPT     icmpv6    ::/0                 ::/0                 state RELATED

ACCEPT     all      ::/0                 ::/0                

Chain BASE_OUTPUT_CHAIN (1 references)

target     prot opt source               destination         

ACCEPT     all      ::/0                 ::/0                 state ESTABLISHED

ACCEPT     all      ::/0                 ::/0                

Chain DMZ_FORWARD_IN_CHAIN (0 references)

target     prot opt source               destination         

Chain DMZ_FORWARD_OUT_CHAIN (0 references)

target     prot opt source               destination         

Chain DMZ_INET_FORWARD_CHAIN (0 references)

target     prot opt source               destination         

Chain DMZ_INPUT_CHAIN (0 references)

target     prot opt source               destination         

Chain DMZ_LAN_FORWARD_CHAIN (0 references)

target     prot opt source               destination         

Chain DMZ_OUTPUT_CHAIN (0 references)

target     prot opt source               destination         

Chain EXT_BROADCAST_CHAIN (0 references)

target     prot opt source               destination         

DROP       all      ::/0                 ::/0                

Chain EXT_FORWARD_IN_CHAIN (2 references)

target     prot opt source               destination         

VALID_CHK  all      ::/0                 ::/0                

Chain EXT_FORWARD_OUT_CHAIN (2 references)

target     prot opt source               destination         

Chain EXT_ICMP_FLOOD_CHAIN (2 references)

target     prot opt source               destination         

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 1

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 3

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 4

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 128

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 129

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                 ipv6-icmptype 2

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                

Chain EXT_INPUT_CHAIN (2 references)

target     prot opt source               destination         

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp dpt:0

POST_INPUT_DROP_CHAIN  udp      ::/0                 ::/0                 udp dpt:0

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp spt:0

POST_INPUT_DROP_CHAIN  udp      ::/0                 ::/0                 udp spt:0

ACCEPT     udp      ::/0                 ::/0                 udp spt:547 dpt:546

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:!0x17/0x02

EXT_MULTICAST_CHAIN  all      ::/0                 ff00::/8            

POST_INPUT_CHAIN  all      ::/0                 ::/0                

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                

POST_INPUT_DROP_CHAIN  udp      ::/0                 ::/0                

POST_INPUT_DROP_CHAIN  icmpv6    ::/0                 ::/0                

POST_INPUT_DROP_CHAIN  all      ::/0                 ::/0                

Chain EXT_MULTICAST_CHAIN (1 references)

target     prot opt source               destination         

DROP       all      ::/0                 ::/0                

Chain EXT_OUTPUT_CHAIN (2 references)

target     prot opt source               destination         

Chain FORWARD_CHAIN (1 references)

target     prot opt source               destination         

Chain HOST_BLOCK_DROP (0 references)

target     prot opt source               destination         

DROP       all      ::/0                 ::/0                

Chain HOST_BLOCK_DST (2 references)

target     prot opt source               destination         

Chain HOST_BLOCK_SRC (2 references)

target     prot opt source               destination         

Chain INET_DMZ_FORWARD_CHAIN (0 references)

target     prot opt source               destination         

Chain INPUT_CHAIN (1 references)

target     prot opt source               destination         

Chain INT_FORWARD_IN_CHAIN (0 references)

target     prot opt source               destination         

Chain INT_FORWARD_OUT_CHAIN (0 references)

target     prot opt source               destination         

Chain INT_INPUT_CHAIN (0 references)

target     prot opt source               destination         

Chain INT_OUTPUT_CHAIN (0 references)

target     prot opt source               destination         

Chain LAN_INET_FORWARD_CHAIN (0 references)

target     prot opt source               destination         

Chain LINK_LOCAL_DROP (2 references)

target     prot opt source               destination         

DROP       all      ::/0                 ::/0                

Chain OUTPUT_CHAIN (1 references)

target     prot opt source               destination         

Chain POST_FORWARD_CHAIN (1 references)

target     prot opt source               destination         

Chain POST_INPUT_CHAIN (2 references)

target     prot opt source               destination         

Chain POST_INPUT_DROP_CHAIN (26 references)

target     prot opt source               destination         

DROP       all      ::/0                 ::/0                

Chain POST_OUTPUT_CHAIN (1 references)

target     prot opt source               destination         

Chain RESERVED_NET_CHK (0 references)

target     prot opt source               destination         

Chain SPOOF_CHK (2 references)

target     prot opt source               destination         

RETURN     all      ::/0                 ::/0                

Chain VALID_CHK (3 references)

target     prot opt source               destination         

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x3F/0x29

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x3F/0x37

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x3F/0x3F

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x3F/0x01

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x06/0x06

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x03/0x03

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp flags:0x3F/0x00

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp option=64

POST_INPUT_DROP_CHAIN  tcp      ::/0                 ::/0                 tcp option=128

POST_INPUT_DROP_CHAIN  all      ::/0                 ::/0                 state INVALIDLast edited by NP_complete on Mon Nov 03, 2014 3:02 pm; edited 2 times in total

----------

## Hu

You should probably not use that script.  It commits one of the most basic errors of iptables maintenance: non-atomic rule loads.  That is why it leaves a mess in your loaded rules when it fails to load some changes.  If you still want to use it, you probably want NETFILTER_XT_MATCH_LIMIT and NETFILTER_XT_MATCH_MULTIPORT.

----------

## NP_complete

Hu,

Thanks much for the reply.

1.  Which iptables loader would you recommend?  See, my first move was to get firewalld running, but its GUI relies on python-2.  (There may be a good clean Gentoo way of hooking it up with python-2...  I'm not sure).

2.  Unless you disagree, NETFILTER_XT_MATCH_LIMIT and NETFILTER_XT_MATCH_MULTIPORT are necessary regardless, if the firewall is to be fully functional.  No?

Many thanks.

----------

## Hu

I recommend using iptables-restore to load the rules into the system.  You can safely use any front-end that relies on that, and the result will be an atomic load.

Those are necessary for the firewall as you are currently trying to configure it.  They are not necessary for all possible firewalls, and it may be possible to build a firewall without them that still satisfies your basic requirements.

----------

## NP_complete

I'm gonna follow the advice and go with iptables-restore;  arno-iptables-firewall does need the two modules.  No way around that, however many config file parameters you turn off.  I've done some reading: these modules are good against DOS attacks on servers, but for an end-user box with no externally accessible daemons, they are completely extraneous.  I'm uninstalling the package.

----------

