Bug#993827: upgrade-reports: Installation of firewalld caused surprising results

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993827: upgrade-reports: Installation of firewalld caused surprising results
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Tue, 07 Sep 2021 01:05:29 +0200
Message-id: <[🔎] 163096952971.920441.9372967217343968369.reportbug@robin.kjernsmo.net>
Reply-to: Kjetil Kjernsmo <kjetil@kjernsmo.net>, 993827@bugs.debian.org

Package: upgrade-reports
Severity: normal

(Please provide enough information to help the Debian
maintainers evaluate the report efficiently - e.g., by filling
in the sections below.)

My previous release is: Buster
I am upgrading to: Bullseye
Upgrade date: 2021-09-04  15:05:52
uname -a after upgrade: Linux robin 5.10.0-8-amd64 #1 SMP Debian
5.10.46-4 (2021-08-03) x86_64 GNU/Linux

Method:  apt full-upgrade

Contents of /etc/apt/sources.list:

deb http://ftp.no.debian.org/debian/ bullseye main contrib non-free
deb-src http://ftp.no.debian.org/debian/ bullseye main contrib non-free

deb http://security.debian.org/debian-security bullseye-security main
contrib non-free
deb-src http://security.debian.org/debian-security bullseye-security
main contrib non-free

# bullseye-updates, previously known as 'volatile'
deb http://ftp.no.debian.org/debian/ bullseye-updates main
deb-src http://ftp.no.debian.org/debian/ bullseye-updates main


The upgrade went smoothly, except for one problem, it closed all ports
except 22. 

It took me a while to figure out, but I eventually solved it by doing 
 systemctl stop firewalld.service 
 systemctl disable firewalld.service 

I did not have time for a more thorough investigation than the time it
took to figure it out, but I hope this report is useful nevertheless.

I believe that what happened is that firewalld has a default setup
that closes everything except port 22. This box didn't need a firewall
of its own, it is behind a firewall managed by a different system, but
apparently, iptables was installed as a dependency of Docker. Then,
I have configured apt with
APT::Install-Suggests "true";
and so firewalld got installed as a result. It was not suggested by
iptables in Buster.

I leave it to you to determine what the appropriate action might be. I
guess the Install-Suggests is a relatively rarely used feature, so it
is not very likely to be a widespread problem. I don't know if it is
possible to have firewalld ask the user whether they want to close
down if it is installed as a dependency or something.

Cheers,

Kjetil

Reply to:

Prev by Date: Bug#993495:
Next by Date: Bug#993995: Acknowledgement (upgrade-reports: lost abilty to do fast repeated key strokes after upgrade from buster to bullseye)
Previous by thread: Bug#993495:
Next by thread: Bug#993995: Acknowledgement (upgrade-reports: lost abilty to do fast repeated key strokes after upgrade from buster to bullseye)
Index(es):
- Date
- Thread