ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0006351ClearOSapp-firewall - Firewallpublic2015-11-22 19:042015-11-23 12:01
Reporterbchambers 
Assigned Touser2 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.1.0 
Target Version7.1.0 UpdatesFixed in Version7.1.0 Updates 
Summary0006351: Firewall not restarting after change
DescriptionAfter a firewall change via Webconfig (eg. enable/disable incoming rule, port forward etc.)...

In /var/log/messages, I see:

Nov 22 19:55:35 gateway clearsyncd[18915]: FirewallRestart: sudo /usr/bin/systemctl restart firewall: 256
Nov 22 19:55:35 gateway clearsyncd[18915]: FirewallRestart: sudo /usr/bin/systemctl restart firewall6: 256


However, watching /var/log/system does not show that the firewall is actually restarting.

telnet to 1875 while toggling the web services (1875) incoming rule would confirm that the fw is not restarting and picking up the change.

Restarting the fw manually (service firewall restart) is the only time the telnet does what you think it will do.

Hard to believe we got through the beta like this...something changed? I can reproduce this on a customer box and in lab.

Only possible relevant update I see in log:

Nov 19 06:42:59 Updated: 1:app-firewall-core-2.1.25-1.v7.noarch
Nov 19 06:42:59 Updated: 1:app-firewall-2.1.25-1.v7.noarch

But this may not be isolated to fw restarting...customer also has issues with content filter rules being applied (or rather, not applied).
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-11-22 19:04bchambersNew Issue
2015-11-22 19:11user2Statusnew => feedback
2015-11-22 19:13user2Note Added: 0002211
2015-11-22 19:24bchambersNote Added: 0002221
2015-11-22 19:24bchambersStatusfeedback => new
2015-11-22 19:31bchambersNote Added: 0002231
2015-11-22 19:34bchambersNote Added: 0002241
2015-11-22 19:39user2Assigned To => user2
2015-11-22 19:39user2Statusnew => confirmed
2015-11-22 19:42user2Note Added: 0002251
2015-11-22 19:43user2Statusconfirmed => resolved
2015-11-22 19:43user2Fixed in Version => 7.1.0 Updates
2015-11-22 19:43user2Resolutionopen => fixed
2015-11-22 19:44bchambersNote Added: 0002261
2015-11-22 19:44user2Note Edited: 0002251bug_revision_view_page.php?bugnote_id=2251#r631
2015-11-22 20:47user2Target Version => 7.1.0 Updates
2015-11-23 12:01user2Statusresolved => closed

Notes
(0002211)
user2   
2015-11-22 19:13   
The "sudo /usr/bin/systemctl restart firewall: 256" is coming back with error code 256. Why is the restart failing?
(0002221)
bchambers   
2015-11-22 19:24   
If it's running that command as clearsync

# su -s /bin/bash -c "/usr/bin/systemctl restart firewall" clearsync
Failed to issue method call: Access denied

Maybe it should be running /usr/sbin/firewall-start, as per sudoers file.

???
(0002231)
bchambers   
2015-11-22 19:31   
If this isn't isolated to firewall, then maybe sudoers is missing /usr/bin/systemctl for clearsync user.

But how did this get passed testing??? Something has changed.
(0002241)
bchambers   
2015-11-22 19:34   
Looks like the culprit:

https://github.com/clearos/app-firewall/commit/50ba468c81be7fdc9d695a7ca1002e55386bdfd1 [^]
(0002251)
user2   
2015-11-22 19:42   
(edited on: 2015-11-22 19:44)
That's it! The issue doesn't crop up until after clearsync restarted, so dog food/running boxes don't exhibit the problem right away (edit: rephrased). Pushing through a quick fix.
(0002261)
bchambers   
2015-11-22 19:44   
One final bit of debug...if I do add /usr/bin/systemctl to clearsync user in sudoers, the firewall goes into panic mode:

Nov 22 20:40:19 gateway firewall: Using gateway mode
Nov 22 20:40:19 gateway firewall: Loading kernel modules
Nov 22 20:40:19 gateway firewall: Loading kernel modules for NAT
Nov 22 20:40:19 gateway firewall: Setting default policy to DROP
Nov 22 20:40:19 gateway firewall: Defining custom chains
Nov 22 20:40:19 gateway firewall: Running blocked external rules
Nov 22 20:40:19 gateway firewall: Running custom rules
Nov 22 20:40:19 gateway firewall: Running common rules
Nov 22 20:40:19 gateway firewall: Running incoming denied rules
Nov 22 20:40:19 gateway firewall: Running user-defined incoming rules
Nov 22 20:40:19 gateway firewall: Allowing incoming udp port 500 for IPsec server
Nov 22 20:40:19 gateway firewall: Running firewall panic mode...

But if run as root, it does not panic...it's not as simple as adding to suders.