[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

On virsh... Whonix-External, Failed to apply firewall rules

Following the guide:
( the main KVM guide on this domain, newbie, can’t yet post links )

all appears to have gone well, up to:
( that same main KVM guide on this domain )
#Importing_Whonix_.E2.84.A2_VM_Templates

More precisely, the first lines went fine:

virsh -c qemu:///system net-define Whonix_external_network-15.0.0.8.7.xml
virsh -c qemu:///system net-define Whonix_internal_network-15.0.0.8.7.xml
virsh -c qemu:///system net-autostart Whonix-External

But I get the following error at:

virsh -c qemu:///system net-start Whonix-External

error: Failed to start network Whonix-External
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name.

In the /var/log/syslog, at the time that failing command is issued, I find:

2020-05-28T19:07:00.892332+00:00 thehost kernel: [11657.591323] virbr1: port 1(virbr1-nic) entered blocking state
2020-05-28T19:07:00.892362+00:00 thehost kernel: [11657.591326] virbr1: port 1(virbr1-nic) entered disabled state
2020-05-28T19:07:00.892366+00:00 thehost kernel: [11657.591586] device virbr1-nic entered promiscuous mode
2020-05-28T19:07:01.106297+00:00 thehost kernel: [11657.805192] device virbr1-nic left promiscuous mode
2020-05-28T19:07:01.106314+00:00 thehost kernel: [11657.805196] virbr1: port 1(virbr1-nic) entered disabled state

Of course, no virbr1 to be found:

# brctl show

bridge name     bridge id               STP enabled     interfaces
virbr0          8000.525400b0af6a       yes             virbr0-nic

That’s just the default libvirt’s virbr0.

Similarly, I couldn’t start:

virsh -c qemu:///system net-start Whonix-Internal

Same error, just 's/virbr1/virbr2' . Also for the logs, which are same, except for 's/virbr1/virbr2' and time is some 10 minutes later.

There are even scary suggestions what that might be:
(lnewbie, can’t yet post links, but it’s on experts-exchange commercial domain )

I sometimes do tcpdump’ing, however, at the exact time of the failing command above, I wasn’t capturing traffic. So…

What could this be? How should I proceed here towards a solution?

A mail server guy there posted that he had:

Apr 15 00:21:40 mail kernel: [383546.156569] device eth1 entered promiscuous mode
Apr 15 00:55:47 mail kernel: [385596.344128] device eth1 left promiscuous mode
Apr 15 13:21:55 mail kernel: [430436.382364] device eth1 entered promiscuous mode
Apr 15 13:26:27 mail kernel: [430709.031522] device eth1 left promiscuous mode

which is fairly similar to my issue. An expert there replied:

Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc…) is being used. It is almost impossible from the information we have to tell you exactly what is causing it.

It looks like the name of your server is “mail” which leads me to believe it is a mail server of some sort. There is no reason to have promiscuous mode for mail exchange.

I do not want to scare you, but this can also be a sign of some unwanted folks on your system. It wouldn’t be the first time I have seen a compromised system be used to “discover” what is around it.

That’s pretty much all to be available over Tor on that com domain.

It actually does look suspect to me.

In which case this would not be an issue directly related to Whonix, but rather a network intrusion issue.

In which case, still hope it’s not that bad scenario.

I’ll appreciate any opinion, suggestion, ideas here: how should I proceed to examine my network here, and the inability of libvirt to create virbr1 and virbr2 without those devices entering blocking state and then going promiscuos and then disabled.

This is the sorce (can’t post links yet, so pls. do sed 's$_$/$g' on the below and add http s //: ,witout blanks, at start, to get the link):

www.experts-exchange.com_questions_28657027_What-is-promiscuous-mode-and-why-is-eth1-entering-it.html

Such as:

 echo www.experts-exchange.com_questions_28657027_What-is-promiscuous-mode-and-why-is-eth1-entering-it.html | sed  's$_$/$g'

and the start is the regular https and : and two slashes.

Again, maybe not at all a Whonix issue --what normal reason can there be for the virbr1 / virbr2 to cycle blocking / promiscuos / disabled states?-- but will appreciate opinion on this, and how to examine my system and in which way to test the network on this…

Thanks!

This error is related to a buggy libvirt version that has since been fixed. Either update to a newer version on your rolling distro or switch to one that is more stable.

https://www.redhat.com/archives/libvirt-users/2019-October/msg00024.html

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]