Shorewall does not autostart after reboot reliably
this is on a local vagrant node:
Linux couch16 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 9 07:30:00 2015 from 10.5.5.1
root@couch16:~# ncli_problems
Bigcouch_beam_procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/opt/bigcouch/erts-5.9.1/bin/beam'
Bigcouch_epmd_procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/opt/bigcouch/erts-5.9.1/bin/epmd'
Leap_MX_Procs CRITICAL CRIT - PROCS CRITICAL: 0 processes with args '/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid
--rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap/mx.log'
Mx/Are_MX_daemons_ru CRITICAL CRIT - [mx.rb:35]:No running process for leap_mx
NFS mount /vagrant UNKNOWN UNKNOWN - not mounted
Network/Is_shorewall CRITICAL CRIT - [network.rb:58]:Error running `/sbin/shorewall status`: Shorewall-4.5.5.3 Status at couch16 - Tue Jun 9 07:32:42
UTC 2015 Shorewall is stopped State:Started (Tue Jun 9 07:31:02 UTC 2015) from /etc/shorewall/
Postfix Queue CRITICAL CRIT - Mailqueue length is 72 (More than threshold: 10)
Webapp/Can_create_an CRITICAL CRIT - [webapp.rb:46]:Unable to check that user identity was deleted: HTTP response from API should have code 200, was
401 {"error":"unauthorized","reason":"You are not authorized to access this db."}
Webapp/Can_sync_Sole CRITICAL CRIT - [webapp.rb:59]:Unable to check that user identity was deleted: HTTP response from API should have code 200, was
401 {"error":"unauthorized","reason":"You are not authorized to access this db."}
Website CRITICAL CRITICAL - Socket timeout after 10 seconds
root@couch16:~# ps aux|grep apa
root 2810 0.2 2.4 180296 12212 ? Ss 07:31 0:00 /usr/sbin/apache2 -k start
www-data 2891 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start
www-data 2892 0.0 1.9 180392 9652 ? S 07:31 0:00 /usr/sbin/apache2 -k start
www-data 2893 0.0 1.9 180392 9676 ? S 07:31 0:00 /usr/sbin/apache2 -k start
www-data 2894 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start
www-data 2895 0.0 1.9 180392 9680 ? S 07:31 0:00 /usr/sbin/apache2 -k start
www-data 4223 0.0 1.9 180392 9676 ? S 07:31 0:00 /usr/sbin/apache2 -k start
root 5135 0.0 0.1 7836 840 pts/0 S+ 07:34 0:00 grep apa
root@couch16:~# netstat -tulpen|grep 443
tcp 0 0 0.0.0.0:4430 0.0.0.0:* LISTEN 0 6797 2810/apache2
tcp6 0 0 :::443 :::* LISTEN 0 6793 2810/apache2
root@couch16:~# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@couch16:~# /etc/init.d/shorewall restart
Restarting "Shorewall firewall": done.
root@couch16:~# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
net2fw all -- 0.0.0.0/0 0.0.0.0/0
net2fw all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Drop all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
net_frwd all -- 0.0.0.0/0 0.0.0.0/0
net_frwd all -- 0.0.0.0/0 0.0.0.0/0
Drop all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2net all -- 0.0.0.0/0 0.0.0.0/0
fw2net all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
DROP all -- 0.0.0.0/0 224.0.0.0/4
Chain Drop (3 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
Broadcast all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
Invalid all -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
NotSyn tcp -- 0.0.0.0/0 0.0.0.0/0
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain Invalid (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
Chain NotSyn (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02
Chain blacklst (2 references)
target prot opt source destination
Chain dynamic (2 references)
target prot opt source destination
Chain fw2net (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* SMTP */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
target prot opt source destination
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain net2fw (2 references)
target prot opt source destination
blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
dynamic all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 /* leap_mx */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6425 /* nickserver */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2323 /* leap_soledad */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* leap_sshd */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15984 /* stunnel_server_couch_server */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4430 /* leap_webapp_api */
Drop all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain net2net (2 references)
target prot opt source destination
dynamic all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
smurfs all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (2 references)
target prot opt source destination
blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
net2net all -- 0.0.0.0/0 0.0.0.0/0
net2net all -- 0.0.0.0/0 0.0.0.0/0
Chain reject (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP 2 -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurflog (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain smurfs (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0 0.0.0.0/0
smurflog all -- 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
smurflog all -- 224.0.0.0/4 0.0.0.0/0 [goto]
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x29
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x00
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x06/0x06
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x03/0x03
logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0flags: 0x17/0x02
root@couch16:~#
(from redmine: created on 2015-06-09)
Edited by Varac