Fedora This forum is for the discussion of the Fedora Project. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-01-2007, 04:56 AM
|
#1
|
Member
Registered: Dec 2006
Posts: 606
Rep:
|
Fedora 7 boot hang at Starting Firewall
Hello all expert Linux administrator,
i facing this difficulties in fedora 7. I realized that firewall in fedora 7 is not quite stable.
If the firewall have many rules, my shut down time is slower and oppose to less rules.
Besides that, my firewall sometimes hang at boot time when starting firewall.
If you need information from me, please let me know.
Thanks for your help.
Your help is greatly appreciated by me and others.
|
|
|
08-01-2007, 11:27 AM
|
#2
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
When you say that it sometimes hangs on boot, do you just mean it is slow, or that it never finishes?
The time delay at shutdown probably means it is saving the current firewall rules. If this is a big annoyance, you could disable it, but then you would not save any changes you had made to the firewall since boot.
How long it it takes to load and save firewall rules depends on how many rules you have and the speed of your processor. On a modern processor, you probably wouldn't notice the time it took to load a hundred rules. On older processors, I have seen it take 5 to 10 seconds. It also depends on how the system handles it. I have seen where iptables-save was a bash script that actually took quite a while. But I believe these days it is generally a compiled program which is much quicker.
You might want to post how many rules you have and what speed/type of processor you are using.
|
|
|
08-02-2007, 10:07 PM
|
#3
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
I think is never finished because i have wait for 5-10 minutes.
My system specification is AMD athlon 3500++ 2.4ghz and 512 RAM.
The default tables in iptables is filter.
In the input chain, i have 16 rules. In outpu chain, i have 5 rules. I have 1 rules in forward chain.
I hope this helps.
Thanks.
|
|
|
08-03-2007, 12:40 AM
|
#4
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
Quote:
Originally Posted by Peter_APIIT
My system specification is AMD athlon 3500++ 2.4ghz and 512 RAM.
In the input chain, i have 16 rules. In outpu chain, i have 5 rules. I have 1 rules in forward chain.
|
Man, that should take no time!
I haven't used a RH product since before Fedora, so if I make a wrong assumption here, correct me. I am assuming you are not running any firewall script/program not included with Fedora and I am assuming there is an init script called iptables. If so, I want you to try a couple of things. This will temporarily take your firewall down, so it would be prudent to disconnect from the Internet or an untrusted network first (just pull the cable). Afterwards, you can reconnect. (If something goes horribly wrong, reboot before reconnecting.)
The commands I want you to run, in sequence, are:
Code:
time service iptables stop
time service iptables start
This should shutdown your firewall and then restart it. It will also print out how long each of these operations takes (that is what the word time does). I am interested in whether there are any errors (or if it hangs), and in how long it takes.
Could you also let me know whether you are used to working with bash scripts?
Last edited by blackhole54; 08-03-2007 at 12:41 AM.
|
|
|
08-03-2007, 09:44 AM
|
#5
|
LQ Newbie
Registered: Aug 2007
Location: Dallas, Texas
Distribution: Rhel4, Rhel5, CentOS, Fedora
Posts: 14
Rep:
|
Hello, are you sure you are using iptables? The rules should load rather quickly with that many rules. If you are using a different firewall such as apf I would expect it to take that long to load as apf is dynamic and will build it's own rules sets that will slow a server down when booting because it will have to load all of the rulesets. If you think iptables is causing this issue, you can always run iptables -F and then service iptables save to flush and save the empty rules, and the re-input them. Can you post a copy of your rules so we can take a look at themas well?
Last edited by redhatpenguin; 08-03-2007 at 09:46 AM.
|
|
|
08-04-2007, 02:16 AM
|
#6
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
The firewall need 20 minutes to start it.
After that a screen display which is /etc/swpas -- [ok], then the login screen is display. The iptables is not started.
I have apf firewall installed.
Thanks for your help.
Last edited by Peter_APIIT; 08-04-2007 at 03:05 AM.
|
|
|
08-04-2007, 03:04 AM
|
#7
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
I have disable the graphical boot section by /etc/sysconfig/init -- graphical=no .
Now, it can start normally but i no longer can connect to the internet.
I have connect to the internet by service iptables off.
Below is my iptables -config.
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
Below is my firewall rules:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP 0 -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP tcp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP udp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP icmp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
ACCEPT tcp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate NEW,ESTABLISHED state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
Last edited by Peter_APIIT; 08-04-2007 at 03:09 AM.
|
|
|
08-04-2007, 09:42 AM
|
#8
|
LQ Newbie
Registered: Aug 2007
Location: Dallas, Texas
Distribution: Rhel4, Rhel5, CentOS, Fedora
Posts: 14
Rep:
|
unfortunately I am not a expert on apf, however I can tell you from personal experience from working in the data center that I have had to chkconfig many boxes to bypass apf. Apf as previously posted can take quite a long time to load it's rules. I have personally seen it take 30 + minutes to load. I have also heard that if your rules deny by hostname , it can slow down the firewall as well. you may be able to find some more info here http://forums.rfxnetworks.com/ perhaps someone with more knowledge of apf will weigh in.
|
|
|
08-04-2007, 10:32 PM
|
#9
|
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
|
My problem now is cannot to the internet.
My Red Hat Firewall Input has been delete by hacker. I don't have back up of it. Cold anyone post the Red Hat Firewall Input here.
I don't have red Hat Firewall Chain in my current firewall(iptables). I don't this is the issue because i cannot to internet with iptables off.
Thanks for your help.
|
|
|
08-05-2007, 12:21 AM
|
#10
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
Quote:
Originally Posted by Peter_APIIT
My problem now is cannot to the internet.
|
Are you trying to access the Internet directly from this box? I don't see anything in your firewall rules that might prevent that with one possible exception:
Code:
ACCEPT tcp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
I am used to seeing rules like the above accepting both ESTABLISHED and RELATED states. I am not sure whether lack of RELATED could prevent Internet access.
If you want to troubleshoot, I can think of two things you can try: - If you list your iptables rules using the -v option, the first two columns of the listing should show packet and byte counts for matching packets. This might give you an idea of what rules are blocking the packets.
- You can use a packet sniffer like tcpdump or wireshark to see what packets are actually going out and coming into your network interface.
Just so you know, I have no knowledge of apf. I am passingly familiar with iptables rules except for the mangle table.
Also, if I understood you correctly, your server has been compromised. While not a security expert, my understanding is that when that happens you are best off starting over from scratch or restoring from a trusted backup, since once the machine has been compromised you can never again trust what the utilities tell you.
|
|
|
All times are GMT -5. The time now is 02:15 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|