Firewall requires sysadmin because it needs incron to manage it’s tasks. This is the only way firewall can manage iptables without requiring root. It’s a double security situation. Sysadmin & Incron won’t perform tasks if the hooks have been tampered (GPG protects this) with as well.
If there was a way around this requirement we would be all for it but the only way around it is to put asterisk into the root wheel and that’s not something we want to do.
rm -rf /var/www/html/admin/modules/sysadmin
That will then remove all the Zended code that’s confusing your machine, and it will then appear as a broken module which can be removed through the UI.
@tm1000 nailed it. There have been some discussions in this thread, but no-one’s come up with code that solves the fundamental problem - how do we make this secure WITHOUT using Sysadmin and its associated infrastructure?
And yes, firewall is 100% open source, and if you read the source, all the places that sysadmin is required is documented and explained, in the hope that someone smarter than me can figure out a way to do it 8)
Edit 2 years later: It’s possible that someone is willing to spend some time on this! See Firewall Questions - #22 by xrobau
tm1000 and xrobau: thank you so much for that information and help. I have it up and running and reverted to iptables for now until the firewall situation is sorted. It’s peculiar that icrond per the systemctl bit above shows it being properly triggered, but the firewall issues an error message asking if icrond is on. Or maybe it’s not so peculiar at all. I don’t know.
Perhaps there’s a way to manually let whatever file is listening for confirmation that incrond has done something with firewall.firewall that incrond has done so?