[Mageia-sysadm] valstar is back

Michael Scherer misc at zarb.org
Mon Oct 25 16:33:12 CEST 2010


so a quick report.

Valstar is back, thanks to Sylvain Rochet ( gradator ). 
It seems that the firewall was misconfigurated.

So on 23/10/2010, I connected on the server to remove unused services
( avahi, mandi, dbus, etc ). I have also removed shorewall, as we
disabled it on all servers at the moment ( I am more familiar with a
regular iptables initscripts ). 

Except that removing shorewall run service shorewall stop, which in turn
activate the firewall.

All servers except one ( valstar ) had shorewall correctly turned off by
Pascal ( maat ). I took care of valstar, but i just disabled the service
with chkconfig. So once I removed the package, it started to drop
everything in INPUT.
According to the logs, this happened around 15h30 CEST 

Oct 23 15:28:59 valstar logger: Shorewall Stopped

Since I was still logged in, I didn't see anything wrong ( as I assume
that the firewall will not cut working connection )

But after that, trying to connect again showed me a error. 

We ( dams and I ) decided to wait until monday ( as we couldn't do
anything when the DC was closed, and I was sick, so did maat ), and
discussed with gradator today, and decided that it was easiest to ask
for a reboot than to ask to maat to go to marseille this evening.

On 25/10/2010, at 15:30 ( again ), gradator looked at the server, see it
was a firewall issue, rebooted it without firewall and so the server is
now ok. 

I inspected it, it work fine, there is no firewall rules loaded upon
startup so the problem should not repeat itself.

So, while I recognize I am at fault for this, I think that the shorewall
package have a unexpected side effect, and IMVHO, it should not setup a
restrictive firewall when we remove it ( and I do not say this only
because I am ashamed of causing the problem ).

In the future, how could we avoid problem like this ?

Easiest answer is to have servers with RAC, but we don't except on
alamut. I am not sure we can add one if we manage to get one.

Another solution is a serial cable. But this can be tricky to set up
( we did for zarb )

Michael Scherer

