1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] valstar is back
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20valstar%20is%20back&In-Reply-To=%3C20101026115600.GP21938%40mars-attacks.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000046.html">
<LINK REL="Next" HREF="000055.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] valstar is back</H1>
<B>nicolas vigier</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20valstar%20is%20back&In-Reply-To=%3C20101026115600.GP21938%40mars-attacks.org%3E"
TITLE="[Mageia-sysadm] valstar is back">boklm at mars-attacks.org
</A><BR>
<I>Tue Oct 26 13:56:00 CEST 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000046.html">[Mageia-sysadm] valstar is back
</A></li>
<LI>Next message: <A HREF="000055.html">[Mageia-sysadm] valstar is back
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#54">[ date ]</a>
<a href="thread.html#54">[ thread ]</a>
<a href="subject.html#54">[ subject ]</a>
<a href="author.html#54">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Mon, 25 Oct 2010, Michael Scherer wrote:
><i> Hi,
</I>><i>
</I>><i> so a quick report.
</I>><i>
</I>><i> Valstar is back, thanks to Sylvain Rochet ( gradator ).
</I>><i> It seems that the firewall was misconfigurated.
</I>><i>
</I>><i> So on 23/10/2010, I connected on the server to remove unused services
</I>><i> ( avahi, mandi, dbus, etc ). I have also removed shorewall, as we
</I>><i> disabled it on all servers at the moment ( I am more familiar with a
</I>><i> regular iptables initscripts ).
</I>><i>
</I>><i> Except that removing shorewall run service shorewall stop, which in turn
</I>><i> activate the firewall.
</I>><i>
</I>><i> All servers except one ( valstar ) had shorewall correctly turned off by
</I>><i> Pascal ( maat ). I took care of valstar, but i just disabled the service
</I>><i> with chkconfig. So once I removed the package, it started to drop
</I>><i> everything in INPUT.
</I>><i> According to the logs, this happened around 15h30 CEST
</I>><i>
</I>><i> Oct 23 15:28:59 valstar logger: Shorewall Stopped
</I>><i>
</I>><i> Since I was still logged in, I didn't see anything wrong ( as I assume
</I>><i> that the firewall will not cut working connection )
</I>><i>
</I>><i> But after that, trying to connect again showed me a error.
</I>><i>
</I>><i> We ( dams and I ) decided to wait until monday ( as we couldn't do
</I>><i> anything when the DC was closed, and I was sick, so did maat ), and
</I>><i> discussed with gradator today, and decided that it was easiest to ask
</I>><i> for a reboot than to ask to maat to go to marseille this evening.
</I>><i>
</I>><i> On 25/10/2010, at 15:30 ( again ), gradator looked at the server, see it
</I>><i> was a firewall issue, rebooted it without firewall and so the server is
</I>><i> now ok.
</I>
The shorewall package had been reinstalled ?
><i> I inspected it, it work fine, there is no firewall rules loaded upon
</I>><i> startup so the problem should not repeat itself.
</I>><i>
</I>><i> So, while I recognize I am at fault for this, I think that the shorewall
</I>><i> package have a unexpected side effect, and IMVHO, it should not setup a
</I>><i> restrictive firewall when we remove it ( and I do not say this only
</I>><i> because I am ashamed of causing the problem ).
</I>><i>
</I>><i> In the future, how could we avoid problem like this ?
</I>><i>
</I>><i> Easiest answer is to have servers with RAC, but we don't except on
</I>><i> alamut. I am not sure we can add one if we manage to get one.
</I>><i>
</I>><i> Another solution is a serial cable. But this can be tricky to set up
</I>><i> ( we did for zarb )
</I>
Regarding this issue, we can have a default firewall config deployed by
puppet. Maybe puppet can also be useful to recover access to machines
in some cases.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000046.html">[Mageia-sysadm] valstar is back
</A></li>
<LI>Next message: <A HREF="000055.html">[Mageia-sysadm] valstar is back
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#54">[ date ]</a>
<a href="thread.html#54">[ thread ]</a>
<a href="subject.html#54">[ subject ]</a>
<a href="author.html#54">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
