I don''t know what is happening, but every 36 hours or so I''ll
go to ssh into
my server and find that I can''t connect on any of the outside services.
I
then can connect into the box using a serial connection and find that
shorewall reports that it is not running and the iptables are in some kind
of default state which looks nothing like what I set it up with shorewall
as. I can restart shorewall in any fashion and it returns to its normal
working state, but until then, the outside world can''t connect to it
(thank
god for serial connections). Here''s some more details on the problem:
shorewall version: 3.0.2 (Fedora rpm install)
ip addr show:
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
ip route show:
10.255.255.1 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
default via 10.255.255.1 dev eth0
For a complete dump, see: http://www.nanovox.com/temp/ipdump.txt
(and ignore the actual allocations of ip addresses. I''ve changed a few
octets for security reasons, but they remain consistant so that they would
make sense.)
Steven Kiehl wrote:> I don''t know what is happening, but every 36 hours or so I''ll go to ssh into > my server and find that I can''t connect on any of the outside services...most likely a cronjob or something in your system is restarting the network.. an putting the packet filter in a clean state... as a **possible** workaround you can put #! /bin/sh /sbin/shorewall restart in your distribution ifup-** network scripts..
Steven Kiehl wrote:> I don''t know what is happening, but every 36 hours or so I''ll go to ssh into > my server and find that I can''t connect on any of the outside services.and use this like a mantra "Shorewall is not a daemon, so it can''t stop itself after 36 hours"> (and ignore the actual allocations of ip addresses. I''ve changed a few > octets for security reasons, but they remain consistant so that they would > make sense.) >sometimes if you modify that information, you render it useless. and ip addresses aren''t secrets at all.
On 12/13/05, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Steven Kiehl wrote: > > I don''t know what is happening, but every 36 hours or so I''ll go to ssh > into > > my server and find that I can''t connect on any of the outside services. > > and use this like a mantra "Shorewall is not a daemon, so it can''t stop > itself after 36 hours"I''m aware of this. It''s merely a fancy policy editor. What I mean by shorewall stops every 36 hours, is that a "shorewall status" reports that shorewall is stopped when it normally says that shorewall is running.> (and ignore the actual allocations of ip addresses. I''ve changed a few > > octets for security reasons, but they remain consistant so that they > would > > make sense.) > > > sometimes if you modify that information, you render it useless. > and ip addresses aren''t secrets at all.True. After a bit more digging, I found that the policy that was replacing the shorewall policies is that of a saved iptables configuration. I had saved it in case I needed it as a reference. But this doesn''t totally solve my problem. I need to know what is loading this default policy and how I can fix that. Should I just set iptables config up to save the configuration on shutdown? I have serial access, so I guess that would be reasonable. But does anyone know why iptables would restart and load the saved policy instead of the shorewall policy? Or and I just being dumb, and everyone running shorewall has IPTABLES_SAVE_ON_STOP and IPTABLES_SAVE_ON_RESTART set to ''yes''?
On Tuesday 13 December 2005 19:28, Steven Kiehl wrote:> Or and I just being dumb, and everyone > running shorewall has IPTABLES_SAVE_ON_STOP and IPTABLES_SAVE_ON_RESTART > set to ''yes''?Everyone running Shorewall is expected to disable all other iptables "stuff" on their system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 13 December 2005 19:32, Tom Eastep wrote:> On Tuesday 13 December 2005 19:28, Steven Kiehl wrote: > > Or and I just being dumb, and everyone > > running shorewall has IPTABLES_SAVE_ON_STOP and IPTABLES_SAVE_ON_RESTART > > set to ''yes''? > > Everyone running Shorewall is expected to disable all other iptables > "stuff" on their system.In your case, that means "chkconfig -del itpables". AFAIK, that''s the default on Fedora so it must have been enabled on your system at some point. I had to explicitly enable it when I added a REDIRECT rule for Squid (see http://www.shorewall.net/Shorewall_Squid_Usage.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry to bother you guys again, but iptables did it again and is back to its
default state for whatever strange reason. I did a chkconfig --del iptables
and a chkconfig --del ip6tables last time, and things seemed fine until just
tonight. I was logged into it all day, signed out and then a few hours
later now I try to check the web server and find that shorewall is back to
saying it''s stopped.
Right now I''m using the shorewall 3.0.2-1 fedora development rpm
install.
Do you think anything in that would cause it to stop after 48 hours?
I''m
really getting frustrated with this thing, I''m either gonna have to
start
uninstalling everything until shorewall stops resetting, or make a cron task
to check the status every 5 minutes and restart it if it reverts to being
stopped.
I have a number of web-related and mail-related stuff running, but none of
which would mess with iptables.
Here''s a list of my services status messages:
anacron is stopped
atd (pid 1514) is running...
cpuspeed is stopped
crond (pid 1474) is running...
usage: /etc/init.d/freshclam start|stop
gpm is stopped
irqbalance is stopped
dbus-daemon (pid 1521) is running...
/etc/init.d/microcode_ctl: microcode device /dev/cpu/0/microcode
doesn''t
exist?
Usage: /etc/init.d/mysql start|stop|restart|reload
Server address not specified in /etc/sysconfig/netdump
netplugd is stopped
Configured devices:
lo eth0
Currently active devices:
eth0 lo
ntpd is stopped
Process accounting is disabled.
saslauthd is stopped
Shorewall is stopped
State:Started (Tue Dec 13 23:12:09 EST 2005)
smartd dead but subsys locked
spamd (pid 6697 6696 6695 6694 6693 6647) is running...
sshd (pid 1380) is running...
syslogd (pid 1214) is running...
klogd (pid 1216) is running...
Xvnc is stopped
xfs (pid 1501) is running...
Nightly yum update is disabled.
As far as cron tasks go...
Daily:
logwatch // watches log changes
makewhatis.cron // manpage whatis database
anacron // cron maintenance stuff
logrotate // rotates logs (none of which touch iptables)
prelink // I have no idea
rpm // logs rpm database changes
slocate.cron // updates locate database
spamupdate // updates some of my spam filtering stuff
tmpwatch // cleans up the tmp directory
yum.cron // checks yum for updates
update_tmprsadh // updates the email certs every night
Hourly:
quotacheck // ftp quota check
Any ideas?
On 12/13/05, Tom Eastep <teastep@shorewall.net>
wrote:>
> On Tuesday 13 December 2005 19:32, Tom Eastep wrote:
> > On Tuesday 13 December 2005 19:28, Steven Kiehl wrote:
> > > Or and I just being dumb, and everyone
> > > running shorewall has IPTABLES_SAVE_ON_STOP and
> IPTABLES_SAVE_ON_RESTART
> > > set to ''yes''?
> >
> > Everyone running Shorewall is expected to disable all other iptables
> > "stuff" on their system.
>
> In your case, that means "chkconfig -del itpables". AFAIK,
that''s the
> default
> on Fedora so it must have been enabled on your system at some point. I had
> to
> explicitly enable it when I added a REDIRECT rule for Squid (see
> http://www.shorewall.net/Shorewall_Squid_Usage.html).
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
On Thursday 15 December 2005 17:49, Steven Kiehl wrote:> > I have a number of web-related and mail-related stuff running, but none of > which would mess with iptables. >What type of internet connection do you have? PPPoE? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
As far as I know it''s just have your basic LAN setup with dhcp and all with an Intel 82562EZ 10/100 Ethernet Controller. On 12/15/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Thursday 15 December 2005 17:49, Steven Kiehl wrote: > > > > > I have a number of web-related and mail-related stuff running, but none > of > > which would mess with iptables. > > > > What type of internet connection do you have? PPPoE? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
Still getting these restarts, but I''ve croned a 5-minute job to check the shorewall status, restart it if need be, and log a message saying when it restarted. So far it restarted on saturday afternoon at 12:30pm and this morning at 6:30am. That''s a 42 hour span which makes no sense. However, here''s something interesting... At 6:28am this morning my dhcp renewed, and sure enough dhcp also renewed at 12:25pm on saturday. Perhaps something with dhcp is resetting my iptables? Any ideas what script might be resetting the iptables after dhcp renews? Also, how can I tell if dhcp is getting responses back properly after a dhcp request? Do I just assume it works because I don''t see any logs from shorewall about port 68 being blocked? I guess a cronjob to restart shorewall wasn''t a bad idea afterall now that I know what program is resetting my iptables. Now I just need to get dhclient to stop resetting the firewall. On 12/15/05, Steven Kiehl <nanovox@gmail.com> wrote:> > As far as I know it''s just have your basic LAN setup with dhcp and all > with an Intel 82562EZ 10/100 Ethernet Controller. > > On 12/15/05, Tom Eastep < teastep@shorewall.net> wrote: > > > > On Thursday 15 December 2005 17:49, Steven Kiehl wrote: > > > > > > > > I have a number of web-related and mail-related stuff running, but > > none of > > > which would mess with iptables. > > > > > > > What type of internet connection do you have? PPPoE? > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > >
On Monday 19 December 2005 07:37, Steven Kiehl wrote:> Still getting these restarts, but I''ve croned a 5-minute job to check the > shorewall status, restart it if need be, and log a message saying when it > restarted. So far it restarted on saturday afternoon at 12:30pm and this > morning at 6:30am. That''s a 42 hour span which makes no sense. However, > here''s something interesting... At 6:28am this morning my dhcp renewed, and > sure enough dhcp also renewed at 12:25pm on saturday. Perhaps something > with dhcp is resetting my iptables? Any ideas what script might be > resetting the iptables after dhcp renews?"man dhclient" -- dhcp clients can run scripts when certain events occur but I don''t know the details about dhclient and I don''t seem to have it installed on any of my systems..> > Also, how can I tell if dhcp is getting responses back properly after a > dhcp request? Do I just assume it works because I don''t see any logs from > shorewall about port 68 being blocked?If you''ve specified ''dhcp'' on the interface, then Shorewall won''t block (or log) DHCP traffic.> > I guess a cronjob to restart shorewall wasn''t a bad idea afterall now that > I know what program is resetting my iptables. Now I just need to get > dhclient to stop resetting the firewall.Good Luck, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key