LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 08-01-2007, 04:56 AM   #1
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Rep: Reputation: 31
Thumbs up Fedora 7 boot hang at Starting Firewall


Hello all expert Linux administrator,

i facing this difficulties in fedora 7. I realized that firewall in fedora 7 is not quite stable.

If the firewall have many rules, my shut down time is slower and oppose to less rules.

Besides that, my firewall sometimes hang at boot time when starting firewall.

If you need information from me, please let me know.

Thanks for your help.

Your help is greatly appreciated by me and others.
 
Old 08-01-2007, 11:27 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
When you say that it sometimes hangs on boot, do you just mean it is slow, or that it never finishes?

The time delay at shutdown probably means it is saving the current firewall rules. If this is a big annoyance, you could disable it, but then you would not save any changes you had made to the firewall since boot.

How long it it takes to load and save firewall rules depends on how many rules you have and the speed of your processor. On a modern processor, you probably wouldn't notice the time it took to load a hundred rules. On older processors, I have seen it take 5 to 10 seconds. It also depends on how the system handles it. I have seen where iptables-save was a bash script that actually took quite a while. But I believe these days it is generally a compiled program which is much quicker.

You might want to post how many rules you have and what speed/type of processor you are using.
 
Old 08-02-2007, 10:07 PM   #3
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
I think is never finished because i have wait for 5-10 minutes.

My system specification is AMD athlon 3500++ 2.4ghz and 512 RAM.

The default tables in iptables is filter.

In the input chain, i have 16 rules. In outpu chain, i have 5 rules. I have 1 rules in forward chain.

I hope this helps.

Thanks.
 
Old 08-03-2007, 12:40 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by Peter_APIIT
My system specification is AMD athlon 3500++ 2.4ghz and 512 RAM.
In the input chain, i have 16 rules. In outpu chain, i have 5 rules. I have 1 rules in forward chain.
Man, that should take no time!

I haven't used a RH product since before Fedora, so if I make a wrong assumption here, correct me. I am assuming you are not running any firewall script/program not included with Fedora and I am assuming there is an init script called iptables. If so, I want you to try a couple of things. This will temporarily take your firewall down, so it would be prudent to disconnect from the Internet or an untrusted network first (just pull the cable). Afterwards, you can reconnect. (If something goes horribly wrong, reboot before reconnecting.)

The commands I want you to run, in sequence, are:

Code:
time service iptables stop
time service iptables start
This should shutdown your firewall and then restart it. It will also print out how long each of these operations takes (that is what the word time does). I am interested in whether there are any errors (or if it hangs), and in how long it takes.

Could you also let me know whether you are used to working with bash scripts?

Last edited by blackhole54; 08-03-2007 at 12:41 AM.
 
Old 08-03-2007, 09:44 AM   #5
redhatpenguin
LQ Newbie
 
Registered: Aug 2007
Location: Dallas, Texas
Distribution: Rhel4, Rhel5, CentOS, Fedora
Posts: 14

Rep: Reputation: 0
Hello, are you sure you are using iptables? The rules should load rather quickly with that many rules. If you are using a different firewall such as apf I would expect it to take that long to load as apf is dynamic and will build it's own rules sets that will slow a server down when booting because it will have to load all of the rulesets. If you think iptables is causing this issue, you can always run iptables -F and then service iptables save to flush and save the empty rules, and the re-input them. Can you post a copy of your rules so we can take a look at themas well?

Last edited by redhatpenguin; 08-03-2007 at 09:46 AM.
 
Old 08-04-2007, 02:16 AM   #6
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
The firewall need 20 minutes to start it.
After that a screen display which is /etc/swpas -- [ok], then the login screen is display. The iptables is not started.

I have apf firewall installed.


Thanks for your help.

Last edited by Peter_APIIT; 08-04-2007 at 03:05 AM.
 
Old 08-04-2007, 03:04 AM   #7
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
I have disable the graphical boot section by /etc/sysconfig/init -- graphical=no .

Now, it can start normally but i no longer can connect to the internet.

I have connect to the internet by service iptables off.

Below is my iptables -config.

# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"



Below is my firewall rules:

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP 0 -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP tcp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP udp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP icmp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
ACCEPT tcp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate NEW,ESTABLISHED state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere

Last edited by Peter_APIIT; 08-04-2007 at 03:09 AM.
 
Old 08-04-2007, 09:42 AM   #8
redhatpenguin
LQ Newbie
 
Registered: Aug 2007
Location: Dallas, Texas
Distribution: Rhel4, Rhel5, CentOS, Fedora
Posts: 14

Rep: Reputation: 0
unfortunately I am not a expert on apf, however I can tell you from personal experience from working in the data center that I have had to chkconfig many boxes to bypass apf. Apf as previously posted can take quite a long time to load it's rules. I have personally seen it take 30 + minutes to load. I have also heard that if your rules deny by hostname , it can slow down the firewall as well. you may be able to find some more info here http://forums.rfxnetworks.com/ perhaps someone with more knowledge of apf will weigh in.
 
Old 08-04-2007, 10:32 PM   #9
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
My problem now is cannot to the internet.

My Red Hat Firewall Input has been delete by hacker. I don't have back up of it. Cold anyone post the Red Hat Firewall Input here.

I don't have red Hat Firewall Chain in my current firewall(iptables). I don't this is the issue because i cannot to internet with iptables off.

Thanks for your help.
 
Old 08-05-2007, 12:21 AM   #10
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by Peter_APIIT
My problem now is cannot to the internet.
Are you trying to access the Internet directly from this box? I don't see anything in your firewall rules that might prevent that with one possible exception:

Code:
ACCEPT     tcp  --  anywhere             anywhere            ctstate ESTABLISHED state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            ctstate ESTABLISHED state ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            ctstate ESTABLISHED state ESTABLISHED
I am used to seeing rules like the above accepting both ESTABLISHED and RELATED states. I am not sure whether lack of RELATED could prevent Internet access.

If you want to troubleshoot, I can think of two things you can try:
  • If you list your iptables rules using the -v option, the first two columns of the listing should show packet and byte counts for matching packets. This might give you an idea of what rules are blocking the packets.
  • You can use a packet sniffer like tcpdump or wireshark to see what packets are actually going out and coming into your network interface.
Just so you know, I have no knowledge of apf. I am passingly familiar with iptables rules except for the mangle table.

Also, if I understood you correctly, your server has been compromised. While not a security expert, my understanding is that when that happens you are best off starting over from scratch or restoring from a trusted backup, since once the machine has been compromised you can never again trust what the utilities tell you.
 
  


Reply

Tags
community, linux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Hat 9 boot hang after starting services KGrill Linux - Newbie 1 09-01-2006 01:11 AM
Fedora 3 boot hang bungle3 Fedora - Installation 11 08-25-2005 02:04 PM
Fedora boot hang (after Enable swap) Redeye2 Fedora 4 09-10-2004 07:22 AM
Starting firewall at boot up PapaNoHair Slackware 2 08-17-2003 07:35 PM
Starting Firewall on boot (using firestarter) psychoholic Linux - Networking 3 03-15-2003 06:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 02:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration