Nick Howitt wrote:

Can you just check your rules for FQDN's? Apparently FQDN's in rules can really slow down the rules from loading.

I double checked I only use IP's, no FQDN's in my rules (as far as i knew iptables does not support FQDN)

Can you just check your rules for FQDN's? Apparently FQDN's in rules can really slow down the rules from loading.

Nick Howitt wrote:

Yes and no. It normal that it works like this, even if it is not ideal. On my Core i3-4130 it takes the basic firewall .0153s to reload, but I have one WAN, one LAN, one WAN IP, no 1-to-1 NAT and no VLANS, no proxy and no content filter.

Many thanks for all your help, will have to wait for ClearOS to sort it

Yes and no. It normal that it works like this, even if it is not ideal. On my Core i3-4130 it takes the basic firewall .0153s to reload, but I have one WAN, one LAN, one WAN IP, no 1-to-1 NAT and no VLANS, no proxy and no content filter.

Nick Howitt wrote:

I don't know what you can do to speed up the basic operation of the firewall. I *think* ClearOS are working on a way of not restarting the firewall so often, but it may only be for v8 whenever that appears.

So at the moment its normal when adding / changing a firewall rule to not be able to establish any new connection for the few minutes it takes to reload?

I don't know what you can do to speed up the basic operation of the firewall. I *think* ClearOS are working on a way of not restarting the firewall so often, but it may only be for v8 whenever that appears.

Nick Howitt wrote:

Your pastebin is only taking about 3min to load (185.788s) until it starts running the file in /etc/clearos/firewall.d. Can you have a look in /var/log/system and see how long each of those files takes to run?

The one I posted took about 3 minutes, the previous one 8 minutes, however even if it only takes 30 seconds the problem is no new connections in/out can be established while its reloading, that's not acceptable, how can I resolve it?
Once again thank you for helping me out.

Your pastebin is only taking about 3min to load (185.788s) until it starts running the file in /etc/clearos/firewall.d. Can you have a look in /var/log/system and see how long each of those files takes to run?

Nick Howitt wrote:

You need to remove any invalid rules from the Custom Firewall Rules. If the webconfig won't allow you to, they are in /etc/clearos/firewall.d/custom.

All my rules are valid, they all work as intended and have been there for years. For some reason (its a new issue) any rule i try to change in webconfig throws that error.

My other issue is more pressing, did you take a look at the rules and the output of my firewall debug?

You need to remove any invalid rules from the Custom Firewall Rules. If the webconfig won't allow you to, they are in /etc/clearos/firewall.d/custom.

My recommendation for rules is try them at the command line first (with the rule starting "iptables") then copy and paste them into the Custom module changing "iptables" to "$IPTABLES". If you have a whole batch to test, I suggest you open a command prompt and do:

IPTABLES="iptables -w"

Then you can test each rule from the custom module one by one without having to change iptables/$IPTABLES.

I'd copy all the rules into a temporary file then test them one by one as I described above, and if they are OK, paste them back into the custom file.

Nick Howitt wrote:

It is running but hung, I think. You could try "kill 6104" then try re-running it, but it may be safest to make sure it is not connected to the internet.

Please post the contents of /etc/clearos/firewall.d/custom.

(i manage to get start-firewall -d to run, see below)

/etc/clearos/firewall.d/custom see at https://paste.fedoraproject.org/paste/CUPDvtRdhrxci5DHuaE5Hw

after my previous response i checked;
# iptables -nvL
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

# systemctl status firewall
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: activating (start) since Thu 2018-02-15 21:13:15 GMT; 6min ago
Process: 6067 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=exited, status=0/SUCCESS)
Main PID: 6102 (exec-start.sh)
CGroup: /system.slice/firewall.service
├─6102 /bin/sh /usr/libexec/firewall/exec-start.sh
├─6104 /bin/sh /usr/sbin/firewall-start
└─6142 /sbin/app-firewall -w -s /usr/clearos/apps/firewall/deploy/firewall.lua

Feb 15 21:13:15 gateway.marvelpride.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 21:13:15 gateway.marvelpride.fw firewall[6142]: Starting firewall...
Feb 15 21:13:15 gateway.marvelpride.fw firewall[6142]: Loading environment

a few moments later

# systemctl status firewall
● firewall.service - ClearOS Firewall Engine
Loaded: loaded (/usr/lib/systemd/system/firewall.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2018-02-15 21:28:56 GMT; 5min ago
Process: 6364 ExecStop=/usr/libexec/firewall/exec-stop.sh (code=killed, signal=TERM)
Process: 6572 ExecStart=/usr/libexec/firewall/exec-start.sh (code=exited, status=1/FAILURE)
Main PID: 6572 (code=exited, status=1/FAILURE)

Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Starting ClearOS Firewall Engine...
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: firewall.service: main process exited, code=exited, status=1/FAILURE
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Failed to start ClearOS Firewall Engine.
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: Unit firewall.service entered failed state.
Feb 15 21:28:56 gateway.marvelpride.fw systemd[1]: firewall.service failed

I then tried to disable and delete a custom rule from web interface i got an error "rule is invalid" this rule worked for a long time ($IPTABLES -I FORWARD -i ppp+ -p tcp ! -s xx.xx.xx.xx --dport xxxx:xxxx -j DROP -m comment --comment "Allow this IP")

I then commented it in CLI and again its taking about 10-15 minutes for the firewall to reload

output from firewall-start -d at https://paste.fedoraproject.org/paste/028OfZxmpEOBfWsDKSVRuw


The problem seems to be on every change the firewall reloads, it takes 10-15 minutes to reload, why?

deleted

deleted

It is running but hung, I think. You could try "kill 6104" then try re-running it, but it may be safest to make sure it is not connected to the internet.

Please post the contents of /etc/clearos/firewall.d/custom.

Nick Howitt wrote:
You should just be able to do "firewall-start -d"

# firewall-start -d
firewall: Failed to acquire lock: /var/run/firewall.pid (held by 6104)

# ps ax | grep 6104
6104 ? S 0:00 /bin/sh /usr/sbin/firewall-start

How can i run it?

firewall-start -d will that show the output in terminal or in some log file?

My typo. It should have been /var/log/system.

The only references there are stopping & starting ClearOS Firewall engine at the times i tried to restart them.

You can't really stop the firewall as that would leave you momentarily exposed. You should just be able to do "firewall-start -d"

So I execute it while the firewall is running?

My typo. It should have been /var/log/system.

You can't really stop the firewall as that would leave you momentarily exposed. You should just be able to do "firewall-start -d"

The arpwatch message is different. It can be suppressed by playing with rsyslogd but it is worth looking for a switch misconfiguration first.

I will try to correct the double -w late at night.

I have 32 Custom Rules and 39 1to1 NAT rules.

I dont have /var/log/syslog file, but I checked /var/log/system and /var/log/messages, nothing that can help there (apart from noticing about 70,000 entries per day for "gateway arpwatch: 00:xx:xx:xx:xx:xx sent bad hardware format 0xXX" which i might post a new question for)

How do I start the firewall in debug? do i first stop it? (systemctl stop firewall.service)

I don't think two "-w" matters. I think I've had that accidentally in the past. However it is worth correcting and seeing if it helps.

Do you have many firewall rules?

You could try starting the firewall in debug mode with a "firewall-start -d" and see where it hangs. Also look at /var/log/syslog and you may see the hang there as well.

Thanks for your response.
I am using $IPTABLES and i am using -w "$IPTABLES -w -A INPUT -s 162.220.51.225 -j DROP"
Might that be the cause of the problem (essentially using -w -w)

I have a feeling the solution is in the error message. When you are writing custom firewall rules they need either the -w parameter, so "iptables -w ......" or they need to use "$IPTABLES" instead of "iptables". "$IPTABLES" is equivalent to "iptables -w" in firewall script rules (so Custom rules and any other ones generated by the Webconfig) only and not at the command line. Have you been using "iptables" on its own?

A quick way to correct this would be to edit the file /etc/clearos/firewall.d/custom directly so you can make all changes in one go.