Problem with bastille firewall on OVH RPS servers

Discussion in 'Installation/Configuration' started by SupuS, Jun 2, 2010.

  1. SupuS

    SupuS Member HowtoForge Supporter

    Hi all,

    I cannot use Bastille firewall on OVH RPS servers. After enabling firewall rule server becomes unavailable. After manual reboot is server reachable again but in aproximately 20 minutes later server becomes unavailable again even if I delete all firewal rules. I suppose that some cron job try switch on firewall.

    Has anybody same experiences or solution?

    Thanks for any suggestion

    SupuS
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no such cronjob in ISPConfig 3. But maybe some other cronjob on your server does this. You can e.g. try to disable the firewall with e.g. update-rc.d on Debian and Ubuntu.
     
  3. SupuS

    SupuS Member HowtoForge Supporter

    Hi till

    server works well until I insert new firewall rule. After reboot it freeze if I start or restart bastille or wait for 20 minutes.

    Last line in the syslog is:

    Code:
    /USR/SBIN/CRON[13513]: (root) CMD (/usr/local/ispconfig/server/server.sh > /dev/null 2>> /var/log/ispconfig/cron.log
    I tested firewall in ISPConfig 3 installed in virtualbox and it was without problem. Maybe is there some problem with kernel from OVH?

    SupuS
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think that its a kernel problem. Most likely the ethernet card has a different name (not eth...). Please post the output of:

    ifconfig
     
  5. SupuS

    SupuS Member HowtoForge Supporter

    Code:
    # ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:23:54:1b:47:1a  
              inet addr:xxx.23.20.97  Bcast:xxx.23.20.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1238054 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1776408 errors:0 dropped:0 overruns:0 carrier:1
              collisions:0 txqueuelen:1000 
              RX bytes:582459034 (582.4 MB)  TX bytes:1876881032 (1.8 GB)
    
    eth0:0    Link encap:Ethernet  HWaddr 00:23:54:1b:47:1a  
              inet addr:yyy.98.138.163  Bcast:yyy.255.255.255  Mask:255.255.255.255
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:7249 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7249 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:662492 (662.4 KB)  TX bytes:662492 (662.4 KB)
    I use yyy.98.138.163 .. it is IP FailOver .. can be transfered to other server
     
    Last edited: Jun 2, 2010
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. Thats fine, so its not a problem with the name of the network card interface.

    Which Linux distribution is this?
     
  7. SupuS

    SupuS Member HowtoForge Supporter

    It is Ubuntu 9.04 but I tested also Debian Lenny with ISPConfig 3 preinstalled by OVH and there was the same problem.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Then there must be some kind of incompatibility with the bastille firewall. Please disable the start of the firewall at boot by running:

    update-rc.d -f bastille-firewall remove

    and then remove the firewall record in ispconfig or set it to inactive.
     
  9. SupuS

    SupuS Member HowtoForge Supporter

    I disable start of bastille for now and I wrote to OVH technicians about this problem .. maybe they will find where is the problem.

    Thanks for reply till
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    One idea reagarding this issue came to my mind. Arent the OVH servers using a harddisk that is attached from a storage area network instead of a local harddisk? In that case, you might have to open a port in the firewall to enable access to then SAN as well.
     
  11. SupuS

    SupuS Member HowtoForge Supporter

    yes it is true .. on RPS servers OVH using SAN acessed by iSCSI .. I'll test it .. thanks
     
  12. SupuS

    SupuS Member HowtoForge Supporter

    There is port 3260 which has to be opened for access to SAN:

    Code:
    # netstat -tanpu | grep iscsi
    tcp        0      0 xxx.xxx.xxx.xxx:37143     xxx.xxx.xxx.xxx:3260     ESTABLISHED 3553/iscsid
    In OVH manual is this port described:

    I added this port to config option in ispconfig but unfortunatelly issue appear again. Afte reboot I add this port to:

    /etc/Bastille/bastille-firewall.cfg

    but again without success. I switch off and disabled bastille-firewall as described earlier. Now every 20 minutes is server unreachable. I found two rows with something about this port in ispconfig table sys_datalog:

    Code:
    42  1  firewall  firewall_id:1  i  1275569296  admin  a:2:{s:3:"new";a:10:{s:11:"firewall_id";s:1:"1";s:...  pending
    43  1  firewall  firewall_id:1  d  1275570380  admin  a:2:{s:3:"old";a:10:{s:11:"firewall_id";s:1:"1";s:...  pending
    If there is status pending it means that it will try do this job later? For example after 20 minutes?

    Now my server going down every 20 minutes and I don't know how to stop it .. except reinstall :(

    SupuS
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    No. The status field is not in use in ispconfig.

    Delete the bastille start script in /etc/init.d/
     

Share This Page