Failed to start The firewall bouncer

Hello All,

I’m on debian 10 and it’s a fresh installation.

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
apt install crowdsec-firewall-bouncer-iptables
cscli console enroll xxxxxxxxxxxxxxxxxxxxx
With no error.

BUT
Bouncer doesnt start with: /var/log/crowdsec-firewall-bouncer.log
crowdsec error msg="unable to configure bouncer: config does not contain LAPI key or certificate"
and
journald -xe

-- The job identifier is 5856.
Sep 30 12:57:31 vps crowdsec-firewall-bouncer[19055]: time="2022-09-30T12:57:31Z" level=info msg="crowdsec-firewall-bouncer v0.0.24-debian-pragmatic-8e00af2c9e83af22deab8c0c49a4ad9b8fc57a3f"
Sep 30 12:57:31 vpscrowdsec-firewall-bouncer[19055]: time="2022-09-30T12:57:31Z" level=info msg="config is valid"
Sep 30 12:57:31 vpscrowdsec-firewall-bouncer[19060]: time="2022-09-30T12:57:31Z" level=info msg="crowdsec-firewall-bouncer v0.0.24-debian-pragmatic-8e00af2c9e83af22deab8c0c49a4ad9b8fc57a3f"
Sep 30 12:57:33 vps systemd[1]: crowdsec-firewall-bouncer.service: Failed with result 'protocol'.

and:

crowdsec-firewall-bouncer-v0.0.24-rc1# systemctl restart cs-firewall-bouncer
Failed to restart cs-firewall-bouncer.service: Unit cs-firewall-bouncer.service not found.

Any idea ?
Chris

sorry, but with:
systemctl status crowdsec-firewall-bouncer
It is OK !

you have to register the bouncer with the crowdsec agent:

$ sudo cscli bouncers add some-name
Api key for 'some-name':

   17e6bd946922cd0fb8e52de6beba8af3

Please keep this key since you will not be able to retrieve it!

and then add the above api key to the bouncer config file, e. g. /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml api_key: 17e6bd946922cd0fb8e52de6beba8af3 and then restart the bouncer systemd file.

See: Bouncers management | CrowdSec

Hello @christ31 !

As @xathuo (thanks btw!) pointed out, you need to register your bouncer.
However, if cscli is available on the same machine, the install should do it automatically.

If it was not the case, can you let us know which distribution etc. you were using ?

Thanks,

Hello, I have same problem firewall-bouncers doesn’t start

# systemctl status crowdsec-firewall-bouncer.service 
● crowdsec-firewall-bouncer.service - The firewall bouncer for CrowdSec
     Loaded: loaded (/etc/systemd/system/crowdsec-firewall-bouncer.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Wed 2023-11-22 08:01:19 CET; 7min ago
...
Nov 22 08:01:19 erp systemd[1]: Started The firewall bouncer for CrowdSec.

cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                         IP Address   Valid   Last API pull          Type                        Version                                                             Auth Type 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 FirewallBouncer-1678756336   127.0.0.1    ✔️       2023-10-11T13:10:26Z   crowdsec-firewall-bouncer   v0.0.25-debian-pragmatic-0a4fde8e9440927d02ce187d1716306af9a13780   api-key   
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Api-key is registred in /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

But it does not start

Thanks for you’re help

up ? does someone have an idea ?

Have you checked the contents of the log?

default path is /var/log/crowdsec-firewall-bouncer.log

@iiAmLoz Last logs

time="22-11-2023 08:01:18" level=info msg="Rule doesn't exist (/usr/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="22-11-2023 08:01:18" level=info msg="iptables set-up : /usr/sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="22-11-2023 08:01:18" level=info msg="iptables for ipv6 initiated"
time="22-11-2023 08:01:18" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="22-11-2023 08:01:18" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="22-11-2023 08:01:18" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec6-blacklists"
time="22-11-2023 08:01:18" level=info msg="Checking existing set"
time="22-11-2023 08:01:18" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6 maxelem 65536"
time="22-11-2023 08:01:19" level=warning msg="iptables check command (/usr/sbin/ip6tables -C INPUT -m set --match-set crowdsec6-blacklists src -j DROP) failed : exit status 1"
time="22-11-2023 08:01:19" level=info msg="iptables set-up : /usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="22-11-2023 08:01:19" level=info msg="Using API key auth"
time="22-11-2023 08:01:19" level=info msg="Serving metrics at 127.0.0.1:60601/metrics"
time="22-11-2023 08:01:19" level=info msg="Processing new and deleted decisions . . ."
time="22-11-2023 08:01:19" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: connect: connection refused"
time="22-11-2023 08:01:19" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?startup=true\": dial tcp 127.0.0.1:8080: connect: connection refused"
time="22-11-2023 08:01:19" level=error msg="terminating bouncer process"
time="22-11-2023 08:01:19" level=error msg="process return with error: stream api init failed"
time="22-11-2023 08:01:19" level=info msg="iptables clean-up : /usr/sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="22-11-2023 08:01:19" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec-blacklists"
time="22-11-2023 08:01:19" level=error msg="set destroy error : exit status 1 - ipset v7.10: Set cannot be destroyed: it is in use by a kernel component\n"
time="22-11-2023 08:01:19" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="22-11-2023 08:01:19" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec6-blacklists"
time="22-11-2023 08:01:19" level=error msg="set destroy error : exit status 1 - ipset v7.10: Set cannot be destroyed: it is in use by a kernel component\n"

Kernel version

uname -a
Linux erp 5.10.0-26-cloud-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 GNU/Linux

So either crowdsec is not listening on the configured url/port or there a firewall rule blocking it

Hey, I’ve the same error, please into your /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml in api_url option indique your docker ip crowdsec, example : api_url: http://192.168.160.3:8080/
You can view ip with command docker inspect crowdsec

All is good after a restart of shorewall I don’t know why !!!

Thanks all for ou’re reply @iiAmLoz and @Killian-Aidalinfo

Happy New Year 2024 to all