Shorewall does not autostart after reboot reliably
this is on a local vagrant node:
Linux couch16 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 9 07:30:00 2015 from 10.5.5.1 root@couch16:~# ncli_problems Bigcouch_beam_procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/opt/bigcouch/erts-5.9.1/bin/beam' Bigcouch_epmd_procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/opt/bigcouch/erts-5.9.1/bin/epmd' Leap_MX_Procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap/mx.log' Mx/Are_MX_daemons_ru CRITICAL CRIT - [mx.rb:35]:No running process for leap_mx NFS mount /vagrant UNKNOWN UNKNOWN - not mounted Network/Is_shorewall CRITICAL CRIT - [network.rb:58]:Error running `/sbin/shorewall status`: Shorewall-4.5.5.3 Status at couch16 - Tue Jun 9 07:32:42 UTC 2015 Shorewall is stopped State:Started (Tue Jun 9 07:31:02 UTC 2015) from /etc/shorewall/ Postfix Queue CRITICAL CRIT - Mailqueue length is 72 (More than threshold: 10) Webapp/Can_create_an CRITICAL CRIT - [webapp.rb:46]:Unable to check that user identity was deleted: HTTP response from API should have code 200, was 401 {"error":"unauthorized","reason":"You are not authorized to access this db."} Webapp/Can_sync_Sole CRITICAL CRIT - [webapp.rb:59]:Unable to check that user identity was deleted: HTTP response from API should have code 200, was 401 {"error":"unauthorized","reason":"You are not authorized to access this db."} Website CRITICAL CRITICAL - Socket timeout after 10 seconds root@couch16:~# ps aux|grep apa root 2810 0.2 2.4 180296 12212 ? Ss 07:31 0:00 /usr/sbin/apache2 -k start www-data 2891 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start www-data 2892 0.0 1.9 180392 9652 ? S 07:31 0:00 /usr/sbin/apache2 -k start www-data 2893 0.0 1.9 180392 9676 ? S 07:31 0:00 /usr/sbin/apache2 -k start www-data 2894 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start www-data 2895 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start www-data 4223 0.0 1.9 180392 9676 ? S 07:31 0:00 /usr/sbin/apache2 -k start root 5135 0.0 0.1 7836 840 pts/0 S+ 07:34 0:00 grep apa root@couch16:~# netstat -tulpen|grep 443 tcp 0 0 0.0.0.0:4430 0.0.0.0:* LISTEN 0 6797 2810/apache2 tcp6 0 0 :::443 :::* LISTEN 0 6793 2810/apache2 root@couch16:~# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 state RELATED,ESTABLISHED LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@couch16:~# /etc/init.d/shorewall restart Restarting "Shorewall firewall": done. root@couch16:~# iptables -nL Chain INPUT (policy DROP) target prot opt source destination net2fw all -- 0.0.0.0/0 0.0.0.0/0 net2fw all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination net_frwd all -- 0.0.0.0/0 0.0.0.0/0 net_frwd all -- 0.0.0.0/0 0.0.0.0/0 Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP) target prot opt source destination fw2net all -- 0.0.0.0/0 0.0.0.0/0 fw2net all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain Broadcast (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST DROP all -- 0.0.0.0/0 224.0.0.0/4 Chain Drop (3 references) target prot opt source destination all -- 0.0.0.0/0 0.0.0.0/0 reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ Broadcast all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ Invalid all -- 0.0.0.0/0 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ NotSyn tcp -- 0.0.0.0/0 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain Invalid (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID Chain NotSyn (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 Chain blacklst (2 references) target prot opt source destination Chain dynamic (2 references) target prot opt source destination Chain fw2net (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* SMTP */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) target prot opt source destination reject all -- 0.0.0.0/0 0.0.0.0/0 Chain net2fw (2 references) target prot opt source destination blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW dynamic all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW smurfs all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 /* leap_mx */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6425 /* nickserver */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2323 /* leap_soledad */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* leap_sshd */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15984 /* stunnel_server_couch_server */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4430 /* leap_webapp_api */ Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain net2net (2 references) target prot opt source destination dynamic all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW smurfs all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain net_frwd (2 references) target prot opt source destination blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW net2net all -- 0.0.0.0/0 0.0.0.0/0 net2net all -- 0.0.0.0/0 0.0.0.0/0 Chain reject (2 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST DROP all -- 224.0.0.0/4 0.0.0.0/0 DROP 2 -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurflog (2 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain smurfs (2 references) target prot opt source destination RETURN all -- 0.0.0.0 0.0.0.0/0 smurflog all -- 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST smurflog all -- 224.0.0.0/4 0.0.0.0/0 [goto] Chain tcpflags (2 references) target prot opt source destination logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x29 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x00 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x06/0x06 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x03/0x03 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0flags: 0x17/0x02 root@couch16:~#
(from redmine: created on 2015-06-09)