Results 1 to 23 of 23
-
11-18-2006, 05:19 PM #1Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
AFP Firewall keep hanging my server!
So I requested a total of 5 to 6 times for a reboot from my DC. Whenever I try to start my AFP firewall, it just hang my server. Even after I reinstall AFP and start it, it still hang my server! Is there any log file where I can keep track of the problem?
Thanks in advanced!
-
11-18-2006, 05:25 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Your configuration file is likely wrong, make sure your network interfaces are setup correctly.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2006, 05:27 PM #3Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
It could also appear to hang when starting if you have a lot of rules setup with it...check deny_hosts.rules and allow_hosts.rules to see what you have...
MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
-
11-18-2006, 05:32 PM #4Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Ok thanks, will keep you guys updated! Now I can't even access the server and my DC's support ticket system seems to be down ATM. Just my luck?
-
11-18-2006, 05:41 PM #5LORD OF THE RINGS
- Join Date
- Dec 2005
- Location
- Internet
- Posts
- 1,352
Originally Posted by anlene
-
11-18-2006, 05:50 PM #6Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
hmm....sounds rather logical For all I know, once their support system is up, I'll open another ticket and request if they're able to look into my firewall problem. Hopefully they can help.
-
11-18-2006, 05:54 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
What provider are you using?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2006, 05:56 PM #8Retired Moderator
- Join Date
- Oct 2004
- Location
- Ohio
- Posts
- 1,668
In your conf.apf file there is a setting called VF_UTIME=""
I am not sure what the default value is, but if you set this to 60, it will make sure that your server has an uptime of 60 seconds before activating APF. If 60 seconds isnt enough, increase it till it doesnt hang anymore. It may be commented it by default.Last edited by Chris_M; 11-18-2006 at 06:02 PM.
-
11-18-2006, 06:07 PM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I think hes having it crash regardless if its a reboot or not.
Whenever I try to start my AFP firewall, it just hang my server.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-18-2006, 06:16 PM #10Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Service provider is ev1. Support suggested that I should create an allow rule for myself in my ruleset so that I won't be locked out. Any ideas how I do this?
-
11-18-2006, 06:52 PM #11Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Ok I'm doing this for my own IP now:
[root@plesk ~]# /etc/apf/apf -a XXX.XX.XXX.XX MYOWNIP
Inserted into firewall: Allow all to/from XXX.XX.XXX.XX
Basically I found my IP in deny rules, hence I've removed it and added ip to allow. Am I right on track before I do the ultimate restart again?
-
11-18-2006, 08:25 PM #12Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
You should have no problems!
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-19-2006, 05:44 AM #13Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Hey guys, thanks for all the help. I started the wall and it works now Thanks thanks thanks! Now I'm requesting my DC to boot it back to runlevel 3.
-
11-19-2006, 07:41 AM #14LORD OF THE RINGS
- Join Date
- Dec 2005
- Location
- Internet
- Posts
- 1,352
Good to hear that everything works fine for you
-
11-19-2006, 10:36 AM #15Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Apparently not. Today I got blocked out again. My DC just rebooted my server yet again. Once booted, I login via root and check the deny host rules, this time, no ip address is inside. Firewall woes! Anyone have any ideas are greatly appreciated!
-
11-19-2006, 03:12 PM #16LORD OF THE RINGS
- Join Date
- Dec 2005
- Location
- Internet
- Posts
- 1,352
Do you have any firewalls other than apf and iptables? Or, NOC guys flushed out the apf rules for you to login the server?
Senior Server Administrator
-
11-19-2006, 03:49 PM #17Junior Guru
- Join Date
- Sep 2005
- Location
- Airdrie, Alberta, Canada
- Posts
- 197
edit your allow_hosts.rules file.
add tcp:in:d=22=yourexternalipaddress
save the file
then do a service apf restart
also make sure your ip isn't in deny_hosts.rules
also, in conf.apf you can set DEVEL_MODE="1" for testing purposes
which will turnoff the firewall after 5 minutes in case you lock yourself out.
Do NOT leave this set at 1 once you are done testing.Dan Bulmer
CRUSE Hosting Services
http://www.crusehosting.com
Full H-SPhere Clustered Servers
-
11-19-2006, 03:50 PM #18Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
I have only 1 firewall which is apf. Support replied me this:
"We have stopped apf and iptables. Your server is responding via ssh. Closing ticket."
Now the wall is offline. I don't even dare to start it. Do I have to do iptables -F? I did iptables -L and the results shows:
[root@plesk ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Does that seems ok?
-
11-19-2006, 03:53 PM #19LORD OF THE RINGS
- Join Date
- Dec 2005
- Location
- Internet
- Posts
- 1,352
You have no firewall rules now. To install apf, see the tutorial http://www.crucialp.com/resources/tu...y-firewall.php that should help you.
Senior Server Administrator
-
11-19-2006, 03:55 PM #20Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Originally Posted by crusetech
As regarding "add tcp:in:d=22=yourexternalipaddress", I don't have a static IP. Does it matters or are you referring to other IP?
-
11-19-2006, 03:56 PM #21Junior Guru
- Join Date
- Sep 2005
- Location
- Airdrie, Alberta, Canada
- Posts
- 197
stop using iptables commands. APF acts as a wrapper for iptables so you don't need to use these commands. Make sure you look at apf.conf (pay attention to the IG_TCP_CPORTS (allowed incoming ports) and EG_TCP_CPORTS (allowed outgoing ports) once these are correct for your application, add your home or office IP to the hosts_allow file. There is an example in there on how to do this.
Make sure your IP is not listed in the hosts_deny file and then do a service apf start or service apf restartDan Bulmer
CRUSE Hosting Services
http://www.crusehosting.com
Full H-SPhere Clustered Servers
-
11-19-2006, 04:01 PM #22Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Ok I think I know what's the reason. Is my dumb head causing the problem. Previously I did a port changed (For example:4000) instead of 21. So while I reinstall APF, I forgot to include 4000 port as in/outbound. Am I spot on?
So do I place this "special port" in IN or OUT bound? Sorry for being a dumbo as I just started to get the hang of it
-
11-19-2006, 04:09 PM #23Web Hosting Master
- Join Date
- Mar 2003
- Posts
- 663
Hey guys, I put my port in the IG_TCP_CPORTS and relogin with root. Everything seems to be working now.
I'll be working on the rules later....So many thanks for all your help guys!