Installation fails

2012-07-26
2013-03-05
  • Chad Hurley
    Chad Hurley
    2012-07-26

    Hi All;

    I am having a curious problem.  I am running Firewall Builder 5.1 on Ubuntu 12.04 and my firewall nodes are OpenBSD 5.1 in a cluster.  When I compile and upload I get installation failed message.  The funny thing is it appears that everything uploads and the PF rules are applied.  I can't figure out why the failure is happening.  Any help would be greatly appreciated.  Below is the output logs from fwbuilder.

    Summary:
    * Running as user : fwbuilder
    * Firewall name : fw1
    * Installer uses user name : fwbuilder
    * Management address : X.X.X.178
    * Platform : pf
    * Host OS : openbsd
    * Loading configuration from file /home/fwbuilder/fwbuilder/dc-20120719-CH.fwb

    Installation plan:
    Copy file: /home/fwbuilder/fwbuilder/fw1-Always_Allow.conf -> /etc/fw1-Always_Allow.conf
    Copy file: /home/fwbuilder/fwbuilder/fw1.conf -> /etc/pf.conf
    Copy file: /home/fwbuilder/fwbuilder/fw1.fw -> /etc/fw1.fw
    Run script echo '-**-**-'; chmod +x /etc/fw1.fw; sudo -S /etc/fw1.fw && (echo 'Policy activated'; sleep 2; echo)

    Copying /home/fwbuilder/fwbuilder/fw1-Always_Allow.conf -> X.X.X.178:/etc/fw1-Always_Allow.conf
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw1-Always_Allow.conf fwbuilder@X.X.X.178:/etc/fw1-Always_Allow.conf'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.178's password:
    SSH session terminated, exit status: 0
    Copying /home/fwbuilder/fwbuilder/fw1.conf -> X.X.X.178:/etc/pf.conf
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw1.conf fwbuilder@X.X.X.178:/etc/pf.conf'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.178's password:
    SSH session terminated, exit status: 0
    Copying /home/fwbuilder/fwbuilder/fw1.fw -> X.X.X.178:/etc/fw1.fw
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw1.fw fwbuilder@X.X.X.178:/etc/fw1.fw'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.178's password:
    SSH session terminated, exit status: 0
    Running command '/usr/bin/fwbuilder -X ssh -o ServerAliveInterval=10 -t -t -v -l fwbuilder X.X.X.178 echo '-**-**-'; chmod +x /etc/fw1.fw; sudo -S /etc/fw1.fw && (echo 'Policy activated'; sleep 2; echo)'
    Firewall Builder GUI 5.1.0.3599
    OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to X.X.X.178  port 22.
    debug1: Connection established.
    debug1: identity file /home/fwbuilder/.ssh/id_rsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_rsa-cert type -1
    debug1: identity file /home/fwbuilder/.ssh/id_dsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_dsa-cert type -1
    debug1: identity file /home/fwbuilder/.ssh/id_ecdsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
    debug1: match: OpenSSH_6.0 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA 22:96:69:23:8e:69:de:22:ea:51:16:29:b9:0b:b9:3d
    debug1: Host 'X.X.X.178' is known and matches the ECDSA host key.
    debug1: Found key in /home/fwbuilder/.ssh/known_hosts:1
    debug1: ssh_ecdsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: password,keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: password,keyboard-interactive
    debug1: Next authentication method: password
    fwbuilder@X.X.X.178's password:
    debug1: Authentication succeeded (password).
    Authenticated to X.X.X.178 (:22).
    debug1: channel 0: new
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending command: echo '-**-**-'; chmod +x /etc/fw1.fw; sudo -S /etc/fw1.fw && (echo 'Policy activated'; sleep 2; echo)
    Logged in
    -**-**-
    chmod: /etc/fw1.fw: Operation not permitted
    Activating firewall script generated Thu Jul 26 10:53:34 2012 by fwbuilder
    net.inet.ip.forwarding: 1 -> 1
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    Timeout, server X.X.X.178 not responding.
    SSH session terminated, exit status: 255
    Firewall policy installation failed

    Summary:
    * Running as user : fwbuilder
    * Firewall name : fw2
    * Installer uses user name : fwbuilder
    * Management address : X.X.X.187
    * Platform : pf
    * Host OS : openbsd
    * Loading configuration from file /home/fwbuilder/fwbuilder/dc-20120719-CH.fwb

    Installation plan:
    Copy file: /home/fwbuilder/fwbuilder/fw2-Always_Allow.conf -> /etc/fw2-Always_Allow.conf
    Copy file: /home/fwbuilder/fwbuilder/fw2.conf -> /etc/pf.conf
    Copy file: /home/fwbuilder/fwbuilder/fw2.fw -> /etc/fw2.fw
    Run script echo '-**-**-'; chmod +x /etc/fw2.fw; sudo -S /etc/fw2.fw && (echo 'Policy activated'; sleep 2; echo)

    Copying /home/fwbuilder/fwbuilder/fw2-Always_Allow.conf -> X.X.X.187:/etc/fw2-Always_Allow.conf
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw2-Always_Allow.conf fwbuilder@X.X.X.187:/etc/fw2-Always_Allow.conf'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.187's password:
    SSH session terminated, exit status: 0
    Copying /home/fwbuilder/fwbuilder/fw2.conf -> X.X.X.187:/etc/pf.conf
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw2.conf fwbuilder@X.X.X.187:/etc/pf.conf'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.187's password:
    SSH session terminated, exit status: 0
    Copying /home/fwbuilder/fwbuilder/fw2.fw -> X.X.X.187:/etc/fw2.fw
    Running command '/usr/bin/fwbuilder -Y scp -o ConnectTimeout=30 -q /home/fwbuilder/fwbuilder/fw2.fw fwbuilder@X.X.X.187:/etc/fw2.fw'
    Firewall Builder GUI 5.1.0.3599
    fwbuilder@X.X.X.187's password:
    SSH session terminated, exit status: 0
    Running command '/usr/bin/fwbuilder -X ssh -o ServerAliveInterval=10 -t -t -v -l fwbuilder X.X.X.187 echo '-**-**-'; chmod +x /etc/fw2.fw; sudo -S /etc/fw2.fw && (echo 'Policy activated'; sleep 2; echo)'
    Firewall Builder GUI 5.1.0.3599
    OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to X.X.X.187  port 22.
    debug1: Connection established.
    debug1: identity file /home/fwbuilder/.ssh/id_rsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_rsa-cert type -1
    debug1: identity file /home/fwbuilder/.ssh/id_dsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_dsa-cert type -1
    debug1: identity file /home/fwbuilder/.ssh/id_ecdsa type -1
    debug1: identity file /home/fwbuilder/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
    debug1: match: OpenSSH_6.0 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA c7:c7:86:7d:86:9f:ac:76:bb:9a:76:f8:10:76:1f:c8
    debug1: Host 'X.X.X.187' is known and matches the ECDSA host key.
    debug1: Found key in /home/fwbuilder/.ssh/known_hosts:2
    debug1: ssh_ecdsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: password,keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: password,keyboard-interactive
    debug1: Next authentication method: password
    fwbuilder@X.X.X.187's password:
    debug1: Authentication succeeded (password).
    Authenticated to X.X.X.187 (:22).
    debug1: channel 0: new
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending command: echo '-**-**-'; chmod +x /etc/fw2.fw; sudo -S /etc/fw2.fw && (echo 'Policy activated'; sleep 2; echo)
    Logged in
    -**-**-
    chmod: /etc/fw2.fw: Operation not permitted
    Activating firewall script generated Thu Jul 26 10:53:37 2012 by fwbuilder
    net.inet.ip.forwarding: 1 -> 1
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    ifconfig: SIOCSVH: Network is down
    Timeout, server X.X.X.187 not responding.
    SSH session terminated, exit status: 255
    Firewall policy installation failed

     
  • Vadim Kurland
    Vadim Kurland
    2012-07-26

    I would start with the permissions problem:

    chmod: /etc/fw2.fw: Operation not permitted

    then ssh might get disconnected if you dont have a rule to permit it. The simplest way to add the rule is to use the checkbox "always permit ssh connections from the management workstation" in the firewall settings dialog, however you can also add a rule manually on top of the policy.

     
  • Chad Hurley
    Chad Hurley
    2012-07-27

    Hi vkurland;

    Thanks for the reply.  I think that the chmod is a red herring.  I have tested manually with the account I created and the operation is allowed.  In addition, before deploying on hardware, I set up a test environment in Virtual Machines.  I get the same error there but the install finishes successfully.

    Also, I already have the always permit ssh checkbox checked. 

     
  • Chad Hurley
    Chad Hurley
    2012-07-27

    OK I've managed to get rid of the chmod error but I am still having install failure at the same point.  One thought, should I manually add all the interfaces to the OpenBSD node?  Currently I have only manually configured em0 for the mgmt of the nodes and have allowed fwbuilder to configure the rest.

     
  • Vadim Kurland
    Vadim Kurland
    2012-07-28

    I wonder why you are getting all these ifconfig errors. It is hard to say what is happening just by looking at the log. It should be sufficient to only configure management interface on the box and then let script generated by fwbuilder bring other interfaces up. However there should not be any ifconfig errors when it does that.

     
  • Chad Hurley
    Chad Hurley
    2012-07-31

    Hi;

    Thanks again for the reply.

    They seem to be from Interfaces I have created in fwbuilder but I have not assigned IPs to them yet and they are not plugged into any switch.  I'll try to remove them and let you know if that clears up the problem.