Crowdsec-firewall-bouncer does't start -> BACKEND is not supported

Hello,

On one Debian 11 server, I realized that crowdsec-firewall-bouncer wasn’t running.
When trying to start it :

systemctl start crowdsec-firewall-bouncer.service
Job for crowdsec-firewall-bouncer.service failed because the control process exited with error code.
See "systemctl status crowdsec-firewall-bouncer.service" and "journalctl -xe" for details.

journalctl -xe :

Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738191]: time="2023-04-20T17:45:15+02:00" level=info msg="crowdsec-firewall-bouncer v0.0.25-debian-pragmatic-0a4fde8e9440927d02ce187d1716306af9a13780"
Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738191]: time="2023-04-20T17:45:15+02:00" level=warning msg="unexpected ${BACKEND} mode"
Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738191]: time="2023-04-20T17:45:15+02:00" level=info msg="config is valid"
Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738198]: time="2023-04-20T17:45:15+02:00" level=info msg="crowdsec-firewall-bouncer v0.0.25-debian-pragmatic-0a4fde8e9440927d02ce187d1716306af9a13780"
Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738198]: time="2023-04-20T17:45:15+02:00" level=warning msg="unexpected ${BACKEND} mode"
Apr 20 17:45:15 http9 crowdsec-firewall-bouncer[1738198]: time="20-04-2023 17:45:15" level=fatal msg="firewall '${BACKEND}' is not supported"
Apr 20 17:45:15 http9 systemd[1]: crowdsec-firewall-bouncer.service: Main process exited, code=exited, status=1/FAILURE

My config file :

mode: ${BACKEND}
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: http://127.0.0.1:8080/
api_key: ${API_KEY}
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
#type of ipset to use
ipset_type: nethash
#if present, insert rule in those chains
iptables_chains:
  - INPUT
#  - FORWARD
#  - DOCKER-USER

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain
# packet filter
pf:
  # an empty string disables the anchor
  anchor_name: ""

prometheus:

Comparing this file with another one on an other server, I can see that two vars wasn’t replaced in this file :
${BACKEND} wasn’t replaced by iptables
${API_KEY} wasn’t replaced by the API key

How can I resolve this issue ? Especially to have the API key ?

Thanks you very much.

Hi @gregory,

For ${BACKEND} you can replace by iptables, nftables , ipset or pf.

For ${API_KEY}, you can generate an bouncer API key using cscli:
cscli bouncers add myFirewallBouncer

1 Like