Hi again.
Have been finding a bunch of stuff that isn't working right over the past few weeks and today while looking at the running services I noticed a new one. I see that netify-fwa isn't running. This is the first time it was marked status "red" and won't restart.
I read in another post of an update pushed over the past days that caused some problem with someone on a multiwan that netify-fwa-2.2-1.v7 was supposed to fix. So I did the downgrade & upgrade but netify-fwa won't start. So I'm downgrading again to netify-fwa-2.1-1.v7 and trying that.
What log does this netify-fwa write to?
Have been finding a bunch of stuff that isn't working right over the past few weeks and today while looking at the running services I noticed a new one. I see that netify-fwa isn't running. This is the first time it was marked status "red" and won't restart.
I read in another post of an update pushed over the past days that caused some problem with someone on a multiwan that netify-fwa-2.2-1.v7 was supposed to fix. So I did the downgrade & upgrade but netify-fwa won't start. So I'm downgrading again to netify-fwa-2.1-1.v7 and trying that.
What log does this netify-fwa write to?
Share this post:
Responses (13)
-
Accepted Answer
Figured it out.
listed all the installed files. These were removed manually.rpm -ql app-netify-fwa-core-2.3.2-1.v7.noarch
Then I ran
which removed everything else. It looks like it also cleaned up the turds in yum from app-netify-fwa-core.yum remove netify*
Thanks again for all your help Nick. -
Accepted Answer
Thanks again for the help, Nick.
The
never completes. I've forced quit and runyum remove app-netify-*
but I can't remove those two apps.yum-complete-transaction --cleanup-only
error: %preun(app-netify-fwa-core-1:2.3.2-1.v7.noarch) scriptlet failed, signal 2
Error in PREUN scriptlet in rpm package 1:app-netify-fwa-core-2.3.2-1.v7.noarch
How does one go about determining all the pieces of this app that were installed so I can manually delete the files? -
Accepted Answer
Hi Nuke,
As fare as I worked out in the past, permissions don't matter too much in /etc/clearos/firewall.d/ In the past I tried disabling rules by removing the execute bit and it did nothing. The only way I found of disabling a file was to make it into a dot file.
I've tried an "rpm -q --whatrequires netifyd" and "rpm -q --whatrequires netify-fwa" (and therefore rpm -q --whatrequires app-netify-fwa-core), and to me, it looks like they can be safely removed if you have removed the Protocol Filter app. -
Accepted Answer
One more potential issue.
In
it looks like the permissions are inconsistent./etc/clearos/firewall.d/
ll /etc/clearos/firewall.d/
total 28
-rw-r--r-- 1 root root 2365 Nov 10 12:22 10-netify-fwa
-rwxr-xr-x 1 root root 95 Feb 4 11:36 10-ntp
-rw-r--r-- 1 root root 1156 Aug 20 11:10 10-snortsam
-rwxr-xr-x 1 root root 1433 May 5 2017 90-attack-detector
-rwxr-xr-x 1 root root 326 Jan 24 03:09 custom
-rwxr-xr-x 1 root root 212 Jan 11 17:24 local
-rwxr-xr-x 1 root root 1467 Dec 12 14:52 types
So we have 10-netify-fwa & 10-snortsam as 644 and the rest are 755.
Would this be causing a problem with the starting of netify-fwa?
If yes, then which permissions should it be? -
Accepted Answer
I'm still having a bunch of problems with this netify-fwa.
I removed both the Protocol filter and the Application filter but the netify-fwa and netifyd are still present. (I thought they should be removed when I removed Protocol and Application filters???)
Each time I make any change to the firewall, netify-fwa tries to restart and clobbers the Attack Defender (fail2ban).
netify-fwa hangs and times out.
Having read some more posts regarding netify and what should be installed and where, I may have found a bug or inconsistency with my install.
The file
contains:/etc/netify-fwa.conf
[nfa]
disable_protocol_rules = false
disable_service_rules = false
file_pid = /run/netify-fwa/netify-fwa.pid
file_reload_lock = /run/netify-fwa/netify-fwa.reload
file_state = /var/lib/netify-fwa/state.dat
rule_ttl = 600
rule_mark_base = 0x900000
syslog_facility = local0
[netify]
node = /var/lib/netifyd/netifyd.sock
service = 0
[service_whitelist]
[protocol_whitelist]
[service_rules]
[protocol_rules]
According to the github for netify, the state.dat file was removed. There was a post on this forum about the state.dat file causing problems. I checked in /var/lib/netify-fwa/ and there is no state.dat file. There is however a nfa_protocols.dat. Since the state.dat file shouldn't exist and is listed in the conf file, I think there is a bug.
Either the
shouldn't be there, the right line should befile_state = /var/lib/netify-fwa/state.dat
or some other reference should be to nfa_prototcols.dat.file_state = /var/lib/netify-fwa/nfa_prototcols.dat
Questions
1) can I safely remove netify-fwa and netifyd since I have removed both the Protocol and Application filters?
2) is the netify-fwa.conf in error? -
Accepted Answer
nuke wrote:
I supposed I could disable those rules and test if it runs again. Then I'd have to check if it blows up fail2ban again.
Yep. It screwed everything up. Now I can't get fail2ban to run. It appears that the restart/reload of netify-fwa shuts down a number of firewall processes including fail2ban. Since it won't start it hangs and all the other processes won't restart.
If I manually
then I can restart fail2ban. I'll have to add some comments to the fail2ban discussion we have been having as it looks like fail2ban isn't blocking at all.systemctl stop netify-fwa
Perhaps the best course is to remove the protocol filter until I really need it. (But I don't know if that will fix the other issues though.)
[edit] add more detail[/edit] -
Accepted Answer
Nick Howitt wrote:
I'm struggling. I only installed the protocol filter to investigate something else so I don't habitually use it. What are you filtering? I am filtering BitTorrent, Gnutella and eDonkey and netify-fwa seems to run OK (but there is an issue blocking BitTorrent).
I installed the protocol filter when I did the initial set up. The installation was more of a "just in case" I need to manage something if my kids get out of control on some new toy. The only things blocked at the moment are the games. I set those rules more as a test rather than specific reason. I supposed I could disable those rules and test if it runs again. Then I'd have to check if it blows up fail2ban again. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Current versions are:
I'm not sure I'd step back any versions. There are certain older versions which can crash blocking bittorrents. I believe the packages are going to get some TLC over the next 6 months or so.rpm -qa | grep netify
app-netify-fwa-core-2.3.2-1.v7.noarch
netifyd-1.21-1.v7.x86_64
netify-fwa-2.2-1.v7.noarch
app-netify-core-2.3.6-1.v7.noarch
I am not aware the packages write to any particular file. They operate via a load of firewall rules so you may see references in /var/log/messages and /varl/og/system.
Looks like our posts crossed again.
I found a bunch of info in the messages log (posted in the crossed post)
Here is my present installed (COS 7.4 :-) )
rpm -qa | grep netify
app-netify-fwa-core-2.3.2-1.v7.noarch
netify-fwa-2.2-1.v7.noarch
netifyd-1.21-1.v7.x86_64
app-netify-core-2.3.6-1.v7.noarch -
Accepted Answer
OK, I found some info in the log/messages
Jan 30 16:37:56 domain yum[18809]: Updated: netify-fwa-2.2-1.v7.noarch
Jan 30 16:41:39 domain webconfig: Redirecting to /bin/systemctl start netify-fwa.service
Jan 30 16:41:39 domain systemd: Starting Netify FWA Daemon...
Jan 30 16:41:39 domain php: Netify Firewall Agent v1.8/1.5
Jan 30 16:41:39 domain php: Netify Firewall Agent v1.8 starting...
Jan 30 16:41:39 domain netify-fwa[22110]:
Jan 30 16:43:09 domain systemd: netify-fwa.service start-post operation timed out. Stopping.
Jan 30 16:43:09 domain netify-fwa[22242]: Exiting...
Jan 30 16:43:09 domain netifyd: void ndSocketThread::ClientHangup(std::map<int, ndSocket*>::iterator&
Jan 30 16:43:09 domain netify-fwa[22242]:
Jan 30 16:44:39 domain systemd: netify-fwa.service stop-post timed out. Terminating.
Jan 30 16:44:39 domain systemd: Failed to start Netify FWA Daemon.
Jan 30 16:44:39 domain systemd: Unit netify-fwa.service entered failed state.
Jan 30 16:44:39 domain systemd: netify-fwa.service failed.
Jan 30 16:44:39 domain webconfig: Job for netify-fwa.service failed because a timeout was exceeded. See "systemctl status netify-fwa.service" and "journalctl -xe" for details.
and
# systemctl status netify-fwa.service -l
● netify-fwa.service - Netify FWA Daemon
Loaded: loaded (/usr/lib/systemd/system/netify-fwa.service; enabled; vendor preset: disabled)
Active: failed (Result: timeout) since Tue 2018-01-30 16:44:39 EST; 1min 35s ago
Process: 22586 ExecStopPost=/usr/libexec/netify-fwa/exec-stop-post.sh (code=killed, signal=TERM)
Process: 22110 ExecStart=/usr/sbin/netify-fwa (code=exited, status=0/SUCCESS)
Main PID: 22242 (code=exited, status=0/SUCCESS)
Jan 30 16:41:39 domain.com netify-fwa[22242]: Connected to /var/lib/netifyd/netifyd.sock(0).
Jan 30 16:41:39 domain.com netify-fwa[22242]: Processed 233 protocols/applications.
Jan 30 16:41:39 domain.com netify-fwa[22242]: Saved 233 protocols/applications.
Jan 30 16:43:09 domain.com systemd[1]: netify-fwa.service start-post operation timed out. Stopping.
Jan 30 16:43:09 domain.com netify-fwa[22242]: Exiting...
Jan 30 16:43:09 domain.com netify-fwa[22242]:
Jan 30 16:44:39 domain.com systemd[1]: netify-fwa.service stop-post timed out. Terminating.
Jan 30 16:44:39 domain.com systemd[1]: Failed to start Netify FWA Daemon.
Jan 30 16:44:39 domain.com systemd[1]: Unit netify-fwa.service entered failed state.
Jan 30 16:44:39 domain.com systemd[1]: netify-fwa.service failed.
I tried with the downgraded version and get the same errors.
What to try next? -
Accepted Answer
Current versions are:
I'm not sure I'd step back any versions. There are certain older versions which can crash blocking bittorrents. I believe the packages are going to get some TLC over the next 6 months or so.rpm -qa | grep netify
app-netify-fwa-core-2.3.2-1.v7.noarch
netifyd-1.21-1.v7.x86_64
netify-fwa-2.2-1.v7.noarch
app-netify-core-2.3.6-1.v7.noarch
I am not aware the packages write to any particular file. They operate via a load of firewall rules so you may see references in /var/log/messages and /var/log/system.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »