Bug#993827: upgrade-reports: Installation of firewalld caused surprising results
Package: upgrade-reports
Severity: normal
(Please provide enough information to help the Debian
maintainers evaluate the report efficiently - e.g., by filling
in the sections below.)
My previous release is: Buster
I am upgrading to: Bullseye
Upgrade date: 2021-09-04 15:05:52
uname -a after upgrade: Linux robin 5.10.0-8-amd64 #1 SMP Debian
5.10.46-4 (2021-08-03) x86_64 GNU/Linux
Method: apt full-upgrade
Contents of /etc/apt/sources.list:
deb http://ftp.no.debian.org/debian/ bullseye main contrib non-free
deb-src http://ftp.no.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main
contrib non-free
deb-src http://security.debian.org/debian-security bullseye-security
main contrib non-free
# bullseye-updates, previously known as 'volatile'
deb http://ftp.no.debian.org/debian/ bullseye-updates main
deb-src http://ftp.no.debian.org/debian/ bullseye-updates main
The upgrade went smoothly, except for one problem, it closed all ports
except 22.
It took me a while to figure out, but I eventually solved it by doing
systemctl stop firewalld.service
systemctl disable firewalld.service
I did not have time for a more thorough investigation than the time it
took to figure it out, but I hope this report is useful nevertheless.
I believe that what happened is that firewalld has a default setup
that closes everything except port 22. This box didn't need a firewall
of its own, it is behind a firewall managed by a different system, but
apparently, iptables was installed as a dependency of Docker. Then,
I have configured apt with
APT::Install-Suggests "true";
and so firewalld got installed as a result. It was not suggested by
iptables in Buster.
I leave it to you to determine what the appropriate action might be. I
guess the Install-Suggests is a relatively rarely used feature, so it
is not very likely to be a widespread problem. I don't know if it is
possible to have firewalld ask the user whether they want to close
down if it is installed as a dependency or something.
Cheers,
Kjetil
Reply to: