| Anonymous | Login | 2024-04-24 22:34 MDT |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0006351 | ClearOS | app-firewall - Firewall | public | 2015-11-22 19:04 | 2015-11-23 12:01 | ||||
| Reporter | bchambers | ||||||||
| Assigned To | user2 | ||||||||
| Priority | normal | Severity | crash | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 7.1.0 | ||||||||
| Target Version | 7.1.0 Updates | Fixed in Version | 7.1.0 Updates | ||||||
| Summary | 0006351: Firewall not restarting after change | ||||||||
| Description | After a firewall change via Webconfig (eg. enable/disable incoming rule, port forward etc.)... In /var/log/messages, I see: Nov 22 19:55:35 gateway clearsyncd[18915]: FirewallRestart: sudo /usr/bin/systemctl restart firewall: 256 Nov 22 19:55:35 gateway clearsyncd[18915]: FirewallRestart: sudo /usr/bin/systemctl restart firewall6: 256 However, watching /var/log/system does not show that the firewall is actually restarting. telnet to 1875 while toggling the web services (1875) incoming rule would confirm that the fw is not restarting and picking up the change. Restarting the fw manually (service firewall restart) is the only time the telnet does what you think it will do. Hard to believe we got through the beta like this...something changed? I can reproduce this on a customer box and in lab. Only possible relevant update I see in log: Nov 19 06:42:59 Updated: 1:app-firewall-core-2.1.25-1.v7.noarch Nov 19 06:42:59 Updated: 1:app-firewall-2.1.25-1.v7.noarch But this may not be isolated to fw restarting...customer also has issues with content filter rules being applied (or rather, not applied). | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0002211) user2 2015-11-22 19:13 |
The "sudo /usr/bin/systemctl restart firewall: 256" is coming back with error code 256. Why is the restart failing? |
|
(0002221) bchambers (administrator) 2015-11-22 19:24 |
If it's running that command as clearsync # su -s /bin/bash -c "/usr/bin/systemctl restart firewall" clearsync Failed to issue method call: Access denied Maybe it should be running /usr/sbin/firewall-start, as per sudoers file. ??? |
|
(0002231) bchambers (administrator) 2015-11-22 19:31 |
If this isn't isolated to firewall, then maybe sudoers is missing /usr/bin/systemctl for clearsync user. But how did this get passed testing??? Something has changed. |
|
(0002241) bchambers (administrator) 2015-11-22 19:34 |
Looks like the culprit: https://github.com/clearos/app-firewall/commit/50ba468c81be7fdc9d695a7ca1002e55386bdfd1 [^] |
|
(0002251) user2 2015-11-22 19:42 edited on: 2015-11-22 19:44 |
That's it! The issue doesn't crop up until after clearsync restarted, so dog food/running boxes don't exhibit the problem right away (edit: rephrased). Pushing through a quick fix. |
|
(0002261) bchambers (administrator) 2015-11-22 19:44 |
One final bit of debug...if I do add /usr/bin/systemctl to clearsync user in sudoers, the firewall goes into panic mode: Nov 22 20:40:19 gateway firewall: Using gateway mode Nov 22 20:40:19 gateway firewall: Loading kernel modules Nov 22 20:40:19 gateway firewall: Loading kernel modules for NAT Nov 22 20:40:19 gateway firewall: Setting default policy to DROP Nov 22 20:40:19 gateway firewall: Defining custom chains Nov 22 20:40:19 gateway firewall: Running blocked external rules Nov 22 20:40:19 gateway firewall: Running custom rules Nov 22 20:40:19 gateway firewall: Running common rules Nov 22 20:40:19 gateway firewall: Running incoming denied rules Nov 22 20:40:19 gateway firewall: Running user-defined incoming rules Nov 22 20:40:19 gateway firewall: Allowing incoming udp port 500 for IPsec server Nov 22 20:40:19 gateway firewall: Running firewall panic mode... But if run as root, it does not panic...it's not as simple as adding to suders. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2015-11-22 19:04 | bchambers | New Issue | |
| 2015-11-22 19:11 | user2 | Status | new => feedback |
| 2015-11-22 19:13 | user2 | Note Added: 0002211 | |
| 2015-11-22 19:24 | bchambers | Note Added: 0002221 | |
| 2015-11-22 19:24 | bchambers | Status | feedback => new |
| 2015-11-22 19:31 | bchambers | Note Added: 0002231 | |
| 2015-11-22 19:34 | bchambers | Note Added: 0002241 | |
| 2015-11-22 19:39 | user2 | Assigned To | => user2 |
| 2015-11-22 19:39 | user2 | Status | new => confirmed |
| 2015-11-22 19:42 | user2 | Note Added: 0002251 | |
| 2015-11-22 19:43 | user2 | Status | confirmed => resolved |
| 2015-11-22 19:43 | user2 | Fixed in Version | => 7.1.0 Updates |
| 2015-11-22 19:43 | user2 | Resolution | open => fixed |
| 2015-11-22 19:44 | bchambers | Note Added: 0002261 | |
| 2015-11-22 19:44 | user2 | Note Edited: 0002251 | View Revisions |
| 2015-11-22 20:47 | user2 | Target Version | => 7.1.0 Updates |
| 2015-11-23 12:01 | user2 | Status | resolved => closed |
|
Issue History |