[Mageia-sysadm] valstar is back
Michael Scherer
misc at zarb.org
Mon Oct 25 16:33:12 CEST 2010
Hi,
so a quick report.
Valstar is back, thanks to Sylvain Rochet ( gradator ).
It seems that the firewall was misconfigurated.
So on 23/10/2010, I connected on the server to remove unused services
( avahi, mandi, dbus, etc ). I have also removed shorewall, as we
disabled it on all servers at the moment ( I am more familiar with a
regular iptables initscripts ).
Except that removing shorewall run service shorewall stop, which in turn
activate the firewall.
All servers except one ( valstar ) had shorewall correctly turned off by
Pascal ( maat ). I took care of valstar, but i just disabled the service
with chkconfig. So once I removed the package, it started to drop
everything in INPUT.
According to the logs, this happened around 15h30 CEST
Oct 23 15:28:59 valstar logger: Shorewall Stopped
Since I was still logged in, I didn't see anything wrong ( as I assume
that the firewall will not cut working connection )
But after that, trying to connect again showed me a error.
We ( dams and I ) decided to wait until monday ( as we couldn't do
anything when the DC was closed, and I was sick, so did maat ), and
discussed with gradator today, and decided that it was easiest to ask
for a reboot than to ask to maat to go to marseille this evening.
On 25/10/2010, at 15:30 ( again ), gradator looked at the server, see it
was a firewall issue, rebooted it without firewall and so the server is
now ok.
I inspected it, it work fine, there is no firewall rules loaded upon
startup so the problem should not repeat itself.
So, while I recognize I am at fault for this, I think that the shorewall
package have a unexpected side effect, and IMVHO, it should not setup a
restrictive firewall when we remove it ( and I do not say this only
because I am ashamed of causing the problem ).
In the future, how could we avoid problem like this ?
Easiest answer is to have servers with RAC, but we don't except on
alamut. I am not sure we can add one if we manage to get one.
Another solution is a serial cable. But this can be tricky to set up
( we did for zarb )
WDYT ?
--
Michael Scherer
More information about the Mageia-sysadm
mailing list