[Mageia-sysadm] valstar is back

nicolas vigier boklm at mars-attacks.org
Tue Oct 26 13:56:00 CEST 2010 

On Mon, 25 Oct 2010, Michael Scherer wrote:

> Hi,
> 
> so a quick report.
> 
> Valstar is back, thanks to Sylvain Rochet ( gradator ). 
> It seems that the firewall was misconfigurated.
> 
> So on 23/10/2010, I connected on the server to remove unused services
> ( avahi, mandi, dbus, etc ). I have also removed shorewall, as we
> disabled it on all servers at the moment ( I am more familiar with a
> regular iptables initscripts ). 
> 
> Except that removing shorewall run service shorewall stop, which in turn
> activate the firewall.
> 
> All servers except one ( valstar ) had shorewall correctly turned off by
> Pascal ( maat ). I took care of valstar, but i just disabled the service
> with chkconfig. So once I removed the package, it started to drop
> everything in INPUT.
> According to the logs, this happened around 15h30 CEST 
> 
> Oct 23 15:28:59 valstar logger: Shorewall Stopped
> 
> Since I was still logged in, I didn't see anything wrong ( as I assume
> that the firewall will not cut working connection )
> 
> But after that, trying to connect again showed me a error. 
> 
> We ( dams and I ) decided to wait until monday ( as we couldn't do
> anything when the DC was closed, and I was sick, so did maat ), and
> discussed with gradator today, and decided that it was easiest to ask
> for a reboot than to ask to maat to go to marseille this evening.
> 
> On 25/10/2010, at 15:30 ( again ), gradator looked at the server, see it
> was a firewall issue, rebooted it without firewall and so the server is
> now ok. 

The shorewall package had been reinstalled ?

> I inspected it, it work fine, there is no firewall rules loaded upon
> startup so the problem should not repeat itself.
> 
> So, while I recognize I am at fault for this, I think that the shorewall
> package have a unexpected side effect, and IMVHO, it should not setup a
> restrictive firewall when we remove it ( and I do not say this only
> because I am ashamed of causing the problem ).
> 
> In the future, how could we avoid problem like this ?
> 
> Easiest answer is to have servers with RAC, but we don't except on
> alamut. I am not sure we can add one if we manage to get one.
> 
> Another solution is a serial cable. But this can be tricky to set up
> ( we did for zarb )

Regarding this issue, we can have a default firewall config deployed by
puppet. Maybe puppet can also be useful to recover access to machines
in some cases.

More information about the Mageia-sysadm mailing list