In web portal, after adding or editing (even enable / disable) any firewall rule in "1 -to- 1 NAT Firewall" or "Custom Firewall" I loose all connectivity, (only established connections stay active)
Restarting firewall.service just hangs
# iptables -nvL
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
# systemctl status firewall.service
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: activating (start) since Thu 2018-02-15 13:41:40 GMT; 4min 7s ago
Process: 28226 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=exited, status=0/SUCCESS)
Main PID: 28263 (exec-start.sh)
CGroup: /system.slice/firewall.service
├─28263 /bin/sh /usr/libexec/firewall/exec-start.sh
├─28265 /bin/sh /usr/sbin/firewall-start
└─28303 /sbin/app-firewall -w -s /usr/clearos/apps/firewall/deploy/firewall.lua
Feb 15 13:41:40 gateway.local.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 13:41:40 gateway.local.fw firewall[28303]: Starting firewall...
Feb 15 13:41:40 gateway.local.fw firewall[28303]: Loading environment
Why is this happening?
In the meanwhile, how can I get it working after editing FW rule without needing a reboot?
Any help much appreciated
Restarting firewall.service just hangs
# iptables -nvL
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
# systemctl status firewall.service
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: activating (start) since Thu 2018-02-15 13:41:40 GMT; 4min 7s ago
Process: 28226 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=exited, status=0/SUCCESS)
Main PID: 28263 (exec-start.sh)
CGroup: /system.slice/firewall.service
├─28263 /bin/sh /usr/libexec/firewall/exec-start.sh
├─28265 /bin/sh /usr/sbin/firewall-start
└─28303 /sbin/app-firewall -w -s /usr/clearos/apps/firewall/deploy/firewall.lua
Feb 15 13:41:40 gateway.local.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 13:41:40 gateway.local.fw firewall[28303]: Starting firewall...
Feb 15 13:41:40 gateway.local.fw firewall[28303]: Loading environment
Why is this happening?
In the meanwhile, how can I get it working after editing FW rule without needing a reboot?
Any help much appreciated
In Firewall
Share this post:
Responses (22)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Yes and no. It normal that it works like this, even if it is not ideal. On my Core i3-4130 it takes the basic firewall .0153s to reload, but I have one WAN, one LAN, one WAN IP, no 1-to-1 NAT and no VLANS, no proxy and no content filter.
Many thanks for all your help, will have to wait for ClearOS to sort it -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I don't know what you can do to speed up the basic operation of the firewall. I *think* ClearOS are working on a way of not restarting the firewall so often, but it may only be for v8 whenever that appears.
So at the moment its normal when adding / changing a firewall rule to not be able to establish any new connection for the few minutes it takes to reload? -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Your pastebin is only taking about 3min to load (185.788s) until it starts running the file in /etc/clearos/firewall.d. Can you have a look in /var/log/system and see how long each of those files takes to run?
The one I posted took about 3 minutes, the previous one 8 minutes, however even if it only takes 30 seconds the problem is no new connections in/out can be established while its reloading, that's not acceptable, how can I resolve it?
Once again thank you for helping me out. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
You need to remove any invalid rules from the Custom Firewall Rules. If the webconfig won't allow you to, they are in /etc/clearos/firewall.d/custom.
All my rules are valid, they all work as intended and have been there for years. For some reason (its a new issue) any rule i try to change in webconfig throws that error.
My other issue is more pressing, did you take a look at the rules and the output of my firewall debug? -
Accepted Answer
You need to remove any invalid rules from the Custom Firewall Rules. If the webconfig won't allow you to, they are in /etc/clearos/firewall.d/custom.
My recommendation for rules is try them at the command line first (with the rule starting "iptables") then copy and paste them into the Custom module changing "iptables" to "$IPTABLES". If you have a whole batch to test, I suggest you open a command prompt and do:
Then you can test each rule from the custom module one by one without having to change iptables/$IPTABLES.IPTABLES="iptables -w"
I'd copy all the rules into a temporary file then test them one by one as I described above, and if they are OK, paste them back into the custom file. -
Accepted Answer
Nick Howitt wrote:
It is running but hung, I think. You could try "kill 6104" then try re-running it, but it may be safest to make sure it is not connected to the internet.
Please post the contents of /etc/clearos/firewall.d/custom.
(i manage to get start-firewall -d to run, see below)
/etc/clearos/firewall.d/custom see at https://paste.fedoraproject.org/paste/CUPDvtRdhrxci5DHuaE5Hw
after my previous response i checked;
# iptables -nvL
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
# systemctl status firewall
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: activating (start) since Thu 2018-02-15 21:13:15 GMT; 6min ago
Process: 6067 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=exited, status=0/SUCCESS)
Main PID: 6102 (exec-start.sh)
CGroup: /system.slice/firewall.service
├─6102 /bin/sh /usr/libexec/firewall/exec-start.sh
├─6104 /bin/sh /usr/sbin/firewall-start
└─6142 /sbin/app-firewall -w -s /usr/clearos/apps/firewall/deploy/firewall.lua
Feb 15 21:13:15 gateway.marvelpride.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 21:13:15 gateway.marvelpride.fw firewall[6142]: Starting firewall...
Feb 15 21:13:15 gateway.marvelpride.fw firewall[6142]: Loading environment
a few moments later
# systemctl status firewall
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2018-02-15 21:28:56 GMT; 5min ago
Process: 6364 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=killed, signal=TERM)
Process: 6572 ExecStart=/usr/libexec/firewall/exec-start.sh (code=exited, status=1/FAILURE)
Main PID: 6572 (code=exited, status=1/FAILURE)
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: firewall.service: main process exited, code=exited, status=1/FAILURE
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Failed to start ClearOS Firewall Engine.
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Unit firewall.service entered failed state.
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: firewall.service failed
I then tried to disable and delete a custom rule from web interface i got an error "rule is invalid" this rule worked for a long time ($IPTABLES -I FORWARD -i ppp+ -p tcp ! -s xx.xx.xx.xx --dport xxxx:xxxx -j DROP -m comment --comment "Allow this IP")
I then commented it in CLI and again its taking about 10-15 minutes for the firewall to reload
output from firewall-start -d at https://paste.fedoraproject.org/paste/028OfZxmpEOBfWsDKSVRuw
The problem seems to be on every change the firewall reloads, it takes 10-15 minutes to reload, why? -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
My typo. It should have been /var/log/system.
The only references there are stopping & starting ClearOS Firewall engine at the times i tried to restart them.
You can't really stop the firewall as that would leave you momentarily exposed. You should just be able to do "firewall-start -d"
So I execute it while the firewall is running? -
Accepted Answer
My typo. It should have been /var/log/system.
You can't really stop the firewall as that would leave you momentarily exposed. You should just be able to do "firewall-start -d"
The arpwatch message is different. It can be suppressed by playing with rsyslogd but it is worth looking for a switch misconfiguration first. -
Accepted Answer
I will try to correct the double -w late at night.
I have 32 Custom Rules and 39 1to1 NAT rules.
I dont have /var/log/syslog file, but I checked /var/log/system and /var/log/messages, nothing that can help there (apart from noticing about 70,000 entries per day for "gateway arpwatch: 00:xx:xx:xx:xx:xx sent bad hardware format 0xXX" which i might post a new question for)
How do I start the firewall in debug? do i first stop it? (systemctl stop firewall.service) -
Accepted Answer
I don't think two "-w" matters. I think I've had that accidentally in the past. However it is worth correcting and seeing if it helps.
Do you have many firewall rules?
You could try starting the firewall in debug mode with a "firewall-start -d" and see where it hangs. Also look at /var/log/syslog and you may see the hang there as well. -
Accepted Answer
-
Accepted Answer
I have a feeling the solution is in the error message. When you are writing custom firewall rules they need either the -w parameter, so "iptables -w ......" or they need to use "$IPTABLES" instead of "iptables". "$IPTABLES" is equivalent to "iptables -w" in firewall script rules (so Custom rules and any other ones generated by the Webconfig) only and not at the command line. Have you been using "iptables" on its own?
A quick way to correct this would be to edit the file /etc/clearos/firewall.d/custom directly so you can make all changes in one go.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »