
firewallD will not work as there is still some bugs on ip6tables on buster. See end of post for updating iptables to legacy version
If you are felt left behind on packages of Debian 9, it might be time for you to upgrade to Debian 10 and benefit from the upgraded patches.
In my case, I noticed that Debian 9 was stuck on old Apache version that included a number of security issues. Being tied up to a distro release (and not willing to do the compilation myself), I decided to go for a full distro upgrade.
Doing a distro upgrade on Debian is quite easy, nevertheless, depending on independent apt sources you might have used, some issues might arise. Below a compact upgrade guideline.
Backup
First rule of any system change is “backup”. I used the build features of Virtualmin to go with a full backup of virtual servers and backup of all the mysql databases. If you want to be paranoid, may also make a backup of all the configurations under /etc.
Update Debian 9
First step is to be sure that you have the latest updates for Debian 9.
apt-get update && apt-get upgrade
dpkg --audit
The dpkg audit will check if you have any packages in uncomplete stage.
I do not run any dovecot on this server, so those packages have been removed already.
Edit /etc/apt/sources.list
and change all the references of ‘stretch’ to ‘buster’. Disable any non default packages in this file.
Update the package metadata:
apt-get update
Update the distro by
apt-get dist-upgrade
This will take a while and will require some input from you depending on different package configurations. Make sure to read the requirements.
Once done, do a final reboot and wait for the system to come back online fresh on the new distro.
On Virtualmin you may need to Update the new operation system, you will be prompted for this on the virtualmin welcoming screen.
FirewallD / iptables issue
Seems there are multiple issues that might persist depending on the ip6tables you have ported by the distro. If you run into issues, try to switch to the legacy version of iptables
update-alternatives --config ip6tables
or
update-alternatives --set ip6tables /usr/sbin/iptables-legacy
Share this: