Symptom:
When checking the LFD service with the systemctl command you will see this:
systemctl status lfd.service
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-12-01 20:54:11 IST; 10min ago
Process: 11119 ExecStart=/usr/sbin/lfd (code=exited, status=1/FAILURE)
Dec 01 20:54:10 host.domain.tld systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Dec 01 20:54:11 host.domain.tld lfd[11119]: Error: You have an unresolved error when starting csf. You need to restart csf successfully before starting lfd (s...csf.error)
Dec 01 20:54:11 host.domain.tld systemd[1]: lfd.service: control process exited, code=exited status=1
Dec 01 20:54:11 host.domain.tld systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
Dec 01 20:54:11 host.domain.tld systemd[1]: Unit lfd.service entered failed state.
Dec 01 20:54:11 host.domain.tld systemd[1]: lfd.service failed.
The error indicates that you need to restart the CSF service before being able to start the LFD service. However, when you check the CSF service you notice that the service has failed with the following error:
systemctl status csf.service -l ● csf.service - ConfigServer Firewall & Security - csf Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2020-11-30 20:13:09 IST; 24h ago Main PID: 943 (code=exited, status=1/FAILURE) Nov 30 20:12:56 host.domain.tld systemd[1]: Starting ConfigServer Firewall & Security - csf... Nov 30 20:13:09 host.domain.tld csf[943]: You have an unresolved error when starting csf: Nov 30 20:13:09 host.domain.tld csf[943]:Error: FASTSTART: (Packet Filter IPv4) [] [iptables-restore: line 14 failed]. Try restarting csf with FASTSTART disabled, at line 5584 in /usr/sbin/csfNov 30 20:13:09 host.domain.tld csf[943]:You need to restart csf successfully to remove this warning, or delete /etc/csf/csf.errorNov 30 20:13:09 host.domain.tld systemd[1]: csf.service: main process exited, code=exited, status=1/FAILURE Nov 30 20:13:09 host.domain.tld systemd[1]: Failed to start ConfigServer Firewall & Security - csf. Nov 30 20:13:09 host.domain.tld systemd[1]: Unit csf.service entered failed state. Nov 30 20:13:09 host.domain.tld systemd[1]: csf.service failed.
Explanation:
The issue has to do with the FASTSTART option being enabled in /etc/csf/csf.conf, which you can confirm by running the following command:
grep -ir 'FASTSTART = "1"' /etc/csf/*
/etc/csf/csf.conf:FASTSTART = "1"
This option is not supported on all operating systems, Below you will find a short description of what this option does:
# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, # IP6TABLES_RESTORE in two ways: # # 1. On a clean server reboot the entire csf iptables configuration is saved # and then restored where possible to provide a near instant firewall # startup[*] # # 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, # BOGON, TOR are loaded using this method in a fraction of the time than if # this setting is disabled # # [*]Not supported on all OS platforms
Workaround:
Edit CSF's main config file located at /etc/csf/csf.conf and disable FASTSTART by editing FASTSTART = “1” to FASTSTART = “0”. Once the change is made restart CSF's rules by running the following command:
csf -r
After this, check both services and if any of them has not started automatically you can now restart them manually by using the systemctl command like this:
systemctl start csf.service systemctl start lfd.service
Comments