Results 1 to 23 of 23
  1. #1
    Join Date
    Mar 2003
    Posts
    663

    Angry AFP Firewall keep hanging my server!

    So I requested a total of 5 to 6 times for a reboot from my DC. Whenever I try to start my AFP firewall, it just hang my server. Even after I reinstall AFP and start it, it still hang my server! Is there any log file where I can keep track of the problem?

    Thanks in advanced!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Your configuration file is likely wrong, make sure your network interfaces are setup correctly.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    It could also appear to hang when starting if you have a lot of rules setup with it...check deny_hosts.rules and allow_hosts.rules to see what you have...
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  4. #4
    Join Date
    Mar 2003
    Posts
    663
    Ok thanks, will keep you guys updated! Now I can't even access the server and my DC's support ticket system seems to be down ATM. Just my luck?

  5. #5
    Join Date
    Dec 2005
    Location
    Internet
    Posts
    1,352
    Quote Originally Posted by anlene
    Ok thanks, will keep you guys updated! Now I can't even access the server and my DC's support ticket system seems to be down ATM. Just my luck?
    May be a network problem with the NOC's entire network?

  6. #6
    Join Date
    Mar 2003
    Posts
    663
    hmm....sounds rather logical For all I know, once their support system is up, I'll open another ticket and request if they're able to look into my firewall problem. Hopefully they can help.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    What provider are you using?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,668
    In your conf.apf file there is a setting called VF_UTIME=""
    I am not sure what the default value is, but if you set this to 60, it will make sure that your server has an uptime of 60 seconds before activating APF. If 60 seconds isnt enough, increase it till it doesnt hang anymore. It may be commented it by default.
    Last edited by Chris_M; 11-18-2006 at 06:02 PM.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I think hes having it crash regardless if its a reboot or not.


    Whenever I try to start my AFP firewall, it just hang my server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Mar 2003
    Posts
    663
    Service provider is ev1. Support suggested that I should create an allow rule for myself in my ruleset so that I won't be locked out. Any ideas how I do this?

  11. #11
    Join Date
    Mar 2003
    Posts
    663
    Ok I'm doing this for my own IP now:

    [root@plesk ~]# /etc/apf/apf -a XXX.XX.XXX.XX MYOWNIP
    Inserted into firewall: Allow all to/from XXX.XX.XXX.XX

    Basically I found my IP in deny rules, hence I've removed it and added ip to allow. Am I right on track before I do the ultimate restart again?

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    You should have no problems!
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Join Date
    Mar 2003
    Posts
    663
    Hey guys, thanks for all the help. I started the wall and it works now Thanks thanks thanks! Now I'm requesting my DC to boot it back to runlevel 3.

  14. #14
    Join Date
    Dec 2005
    Location
    Internet
    Posts
    1,352
    Good to hear that everything works fine for you

  15. #15
    Join Date
    Mar 2003
    Posts
    663
    Apparently not. Today I got blocked out again. My DC just rebooted my server yet again. Once booted, I login via root and check the deny host rules, this time, no ip address is inside. Firewall woes! Anyone have any ideas are greatly appreciated!

  16. #16
    Join Date
    Dec 2005
    Location
    Internet
    Posts
    1,352
    Do you have any firewalls other than apf and iptables? Or, NOC guys flushed out the apf rules for you to login the server?
    Senior Server Administrator

  17. #17
    Join Date
    Sep 2005
    Location
    Airdrie, Alberta, Canada
    Posts
    197
    edit your allow_hosts.rules file.
    add tcp:in:d=22=yourexternalipaddress
    save the file
    then do a service apf restart
    also make sure your ip isn't in deny_hosts.rules
    also, in conf.apf you can set DEVEL_MODE="1" for testing purposes
    which will turnoff the firewall after 5 minutes in case you lock yourself out.
    Do NOT leave this set at 1 once you are done testing.
    Dan Bulmer
    CRUSE Hosting Services
    http://www.crusehosting.com
    Full H-SPhere Clustered Servers

  18. #18
    Join Date
    Mar 2003
    Posts
    663
    I have only 1 firewall which is apf. Support replied me this:

    "We have stopped apf and iptables. Your server is responding via ssh. Closing ticket."

    Now the wall is offline. I don't even dare to start it. Do I have to do iptables -F? I did iptables -L and the results shows:

    [root@plesk ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Does that seems ok?

  19. #19
    Join Date
    Dec 2005
    Location
    Internet
    Posts
    1,352
    You have no firewall rules now. To install apf, see the tutorial http://www.crucialp.com/resources/tu...y-firewall.php that should help you.
    Senior Server Administrator

  20. #20
    Join Date
    Mar 2003
    Posts
    663
    Quote Originally Posted by crusetech
    edit your allow_hosts.rules file.
    add tcp:in:d=22=yourexternalipaddress
    save the file
    then do a service apf restart
    also make sure your ip isn't in deny_hosts.rules
    also, in conf.apf you can set DEVEL_MODE="1" for testing purposes
    which will turnoff the firewall after 5 minutes in case you lock yourself out.
    Do NOT leave this set at 1 once you are done testing.
    OH! Ok, I'm setting to DEVEL_MODE="1" for now! At least I won't bother DC staff too much

    As regarding "add tcp:in:d=22=yourexternalipaddress", I don't have a static IP. Does it matters or are you referring to other IP?

  21. #21
    Join Date
    Sep 2005
    Location
    Airdrie, Alberta, Canada
    Posts
    197
    stop using iptables commands. APF acts as a wrapper for iptables so you don't need to use these commands. Make sure you look at apf.conf (pay attention to the IG_TCP_CPORTS (allowed incoming ports) and EG_TCP_CPORTS (allowed outgoing ports) once these are correct for your application, add your home or office IP to the hosts_allow file. There is an example in there on how to do this.
    Make sure your IP is not listed in the hosts_deny file and then do a service apf start or service apf restart
    Dan Bulmer
    CRUSE Hosting Services
    http://www.crusehosting.com
    Full H-SPhere Clustered Servers

  22. #22
    Join Date
    Mar 2003
    Posts
    663
    Ok I think I know what's the reason. Is my dumb head causing the problem. Previously I did a port changed (For example:4000) instead of 21. So while I reinstall APF, I forgot to include 4000 port as in/outbound. Am I spot on?

    So do I place this "special port" in IN or OUT bound? Sorry for being a dumbo as I just started to get the hang of it

  23. #23
    Join Date
    Mar 2003
    Posts
    663
    Hey guys, I put my port in the IG_TCP_CPORTS and relogin with root. Everything seems to be working now.

    I'll be working on the rules later....So many thanks for all your help guys!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •