I recently upgaded to ClearOS 7. Now, if I leave my proxy server enabled the firewall enters Panic Mode. I deleted all entries in the "Bypass" table. I've reinstalled it. I've even tried switching it to non-transparent and back. What do I do?
Share this post:
Responses (14)
-
Accepted Answer
Need to know more about your network :-
What is "100.1.100.1" - looks like an internet address to me rather than an intranet address.
In fact looking it up, it is "lo0-100.NWRKNJ-VFTTP-306.verizon-gni.net" - that you?
What is the output of "cat /etc/clearos/network.conf" output of "ifconfig" output of "netstat -r" -
Accepted Answer
Tony Ellis wrote:
I cannot see the work panic (upper, lower or mixed case) anywhere in the output you just posted in your last append. So does this mean that the symptoms have changed to "Starting firewall6: [FAILED]"?
I'd also like to add I have paid subscriptions to IDS and Content Filter Blacklists. I am using dansguardian with the ClearOS subscription.
I have none of these, so really cannot test any further - do you still have the problem with them all disabled? If so, raise a support ticket. If it fails with them disabled I am not sure what more to suggest...
[root@sandra ~]# grep firewall6 /var/log/messages
Mar 4 09:32:46 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 16:14:30 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 18:16:26 sandra firewall6: Starting firewall6: [ OK ]
[root@sandra ~]#
Anything of value in "systemctl restart firewallv6.service"
What's the output of "cat /etc/clearos/firewall.d/local"
Waht's the output of "netstat -nlp | grep squid"
[code type="markup"]grep firewall6 /var/log/messages
Mar 7 00:39:18 localhost firewall6: Starting firewall6: [ OK ]
Mar 7 00:55:05 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 00:57:48 gateway firewall6: nat mangle filter
Mar 7 00:57:48 gateway firewall6: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:57:50 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 01:03:56 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 01:12:07 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 02:46:28 gateway firewall6: nat mangle filter
Mar 7 02:46:28 gateway firewall6: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 02:46:28 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 02:48:04 gateway firewall6: nat mangle filter
Mar 7 02:48:04 gateway firewall6: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 02:48:05 gateway firewall6: Starting firewall6: [FAILED]
Restarting the firewall6 service does nothing but produce another "Firewall entered panic mode" message in my event viewer.
/etc/clearos/firewall.d/local is empty.
netstat -nlp | grep squid
tcp 0 0 100.1.100.1:3128 0.0.0.0:* LISTEN 779/(squid-1)
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 779/(squid-1)
tcp6 0 0 ::1:3128 :::* LISTEN 779/(squid-1)
udp 0 0 0.0.0.0:43331 0.0.0.0:* 779/(squid-1)
udp6 0 0 :::43987 :::* 779/(squid-1)
I tried uninstalling the IDS and content filter updates. It changed nothing. -
Accepted Answer
I cannot see the work panic (upper, lower or mixed case) anywhere in the output you just posted in your last append. So does this mean that the symptoms have changed to "Starting firewall6: [FAILED]"?
I'd also like to add I have paid subscriptions to IDS and Content Filter Blacklists. I am using dansguardian with the ClearOS subscription.
I have none of these, so really cannot test any further - do you still have the problem with them all disabled? If so, raise a support ticket. If it fails with them disabled I am not sure what more to suggest...
[code]
[root@sandra ~]# grep firewall6 /var/log/messages
Mar 4 09:32:46 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 16:14:30 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 18:16:26 sandra firewall6: Starting firewall6: [ OK ]
[root@sandra ~]#
Anything of value in "systemctl restart firewallv6.service"
What's the output of "cat /etc/clearos/firewall.d/local"
Waht's the output of "netstat -nlp | grep squid" -
Accepted Answer
Tony Ellis wrote:
Did you really disable ipv6? Use netstat -nlp | egrep 'tcp6|udp6' to check... An example :-
[root@sandra ~]# netstat -nlp | egrep 'tcp6|udp6'
tcp6 0 0 :::110 :::* LISTEN 2928/cyrus-master
tcp6 0 0 :::143 :::* LISTEN 2928/cyrus-master
tcp6 0 0 :::80 :::* LISTEN 638/httpd
tcp6 0 0 :::81 :::* LISTEN 729/webconfig
tcp6 0 0 :::82 :::* LISTEN 729/webconfig
tcp6 0 0 :::83 :::* LISTEN 729/webconfig
tcp6 0 0 :::22 :::* LISTEN 647/sshd
tcp6 0 0 ::1:3128 :::* LISTEN 760/(squid-1)
tcp6 0 0 :::443 :::* LISTEN 638/httpd
udp6 0 0 ::1:323 :::* 648/chronyd
udp6 0 0 :::37318 :::* 760/(squid-1)
[root@sandra ~]#
Note that squid is there...
and
[core]
[root@sandra ~]# egrep 'IPv6:|ip6_tables' /var/log/messages
...
Mar 7 14:39:24 sandra kernel: IPv6: ADDRCONF(NETDEV_UP): enp0s10: link is not ready
Mar 7 14:39:27 sandra kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp0s10: link becomes ready
Mar 7 14:39:28 sandra kernel: IPv6: ADDRCONF(NETDEV_UP): enp0s14: link is not ready
Mar 7 14:39:29 sandra kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp0s14: link becomes ready
Mar 7 14:39:31 sandra kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
[root@sandra ~]#
[/code]
What is your result? I found I couldn't disable ipv6 completely for some reason
I installed the newer kernel, ipv6 NOT disabled, and got this with squid in non-transparent mode...
[root@sandra ~]# systemctl status firewall.service
● firewall.service - SYSV: ClearOS firewall
Loaded: loaded (/etc/rc.d/init.d/firewall)
Active: active (exited) since Mon 2016-03-07 16:14:40 AEDT; 2min 19s ago
Docs: man:systemd-sysv-generator(8)
Process: 3415 ExecStop=/etc/rc.d/init.d/firewall stop (code=exited, status=0/SUCCESS)
Process: 3435 ExecStart=/etc/rc.d/init.d/firewall start (code=exited, status=0/SUCCESS)
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Running user-defined proxy rules
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Content filter is offline
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Web proxy is online
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Running multipath
Mar 07 16:14:40 sandra.sraellis.com firewall[3531]: Running post-firewall 20720
Mar 07 16:14:40 sandra.sraellis.com firewall[3532]: Running /etc/clearos/firewall.d/local
Mar 07 16:14:40 sandra.sraellis.com firewall[3533]: # This script is run after every firewall restart. Add custom rules here.
Mar 07 16:14:40 sandra.sraellis.com firewall[3539]: Running /etc/clearos/firewall.d/10-intrusion-prevention
Mar 07 16:14:40 sandra.sraellis.com firewall[3435]: Starting firewall: [ OK ]
Mar 07 16:14:40 sandra.sraellis.com systemd[1]: Started SYSV: ClearOS firewall.
[root@sandra ~]#
[root@sandra ~]# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2016-03-07 16:14:19 AEDT; 3min 5s ago
Process: 736 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 667 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 804 (squid)
CGroup: /system.slice/squid.service
├─804 /usr/sbin/squid -f /etc/squid/squid.conf
├─806 (squid-1) -f /etc/squid/squid.conf
├─866 (ext_unix_group_acl) -p
├─867 (ext_unix_group_acl) -p
├─868 (ext_unix_group_acl) -p
├─869 (ext_unix_group_acl) -p
├─870 (ext_unix_group_acl) -p
└─933 (unlinkd)
Mar 07 16:14:18 sandra.sraellis.com systemd[1]: Starting Squid caching proxy...
Mar 07 16:14:19 sandra.sraellis.com squid[804]: Squid Parent: will start 1 kids
Mar 07 16:14:19 sandra.sraellis.com squid[804]: Squid Parent: (squid-1) process 806 started
Mar 07 16:14:19 sandra.sraellis.com systemd[1]: Started Squid caching proxy.
[root@sandra ~]# grep firewall /var/log/messages
...
Mar 7 16:14:27 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:27 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:30 sandra firewall: Starting firewall: [ OK ]
Mar 7 16:14:30 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 16:14:30 sandra systemd: Started SYSV: ClearOS firewall.
Mar 7 16:14:30 sandra systemd: Started SYSV: ClearOS firewall.
Mar 7 16:14:39 sandra systemd: Stopping SYSV: ClearOS firewall...
Mar 7 16:14:39 sandra firewall: nat mangle filter
Mar 7 16:14:39 sandra firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 16:14:39 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:40 sandra firewall: Starting firewall: [ OK ]
Mar 7 16:14:40 sandra systemd: Started SYSV: ClearOS firewall.
[root@sandra ~]#
checked in transparent mode - still OK.
Well almost... in either mode without restarting the squid service, it doesn't listen on the ipv4 interface, which a "systemctl restart squid.service" fixes. have the same problem with webconfig as reported else-where.
Are you using the Content Filter? What do you see different to mine with these commands?
[root@gateway ~]# egrep 'IPv6:|ip6_tables' /var/log/messages
Mar 7 00:39:17 localhost kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Mar 7 00:40:27 localhost kernel: IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
Mar 7 00:40:27 localhost kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready
Mar 7 00:40:41 localhost kernel: IPv6: ADDRCONF(NETDEV_UP): ens35: link is not ready
Mar 7 00:40:41 localhost kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens35: link becomes ready
Mar 7 00:54:56 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens32: link is not ready
Mar 7 00:54:56 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens32: link becomes ready
Mar 7 00:54:58 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
Mar 7 00:54:58 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready
Mar 7 00:55:01 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens35: link is not ready
Mar 7 00:55:01 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens35: link becomes ready
Mar 7 00:55:04 gateway kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Mar 7 01:03:47 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens32: link is not ready
Mar 7 01:03:47 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens32: link becomes ready
Mar 7 01:03:49 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
Mar 7 01:03:49 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready
Mar 7 01:03:52 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens35: link is not ready
Mar 7 01:03:52 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens35: link becomes ready
Mar 7 01:03:55 gateway kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Mar 7 01:11:58 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens32: link is not ready
Mar 7 01:11:58 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens32: link becomes ready
Mar 7 01:12:01 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
Mar 7 01:12:01 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready
Mar 7 01:12:03 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): ens35: link is not ready
Mar 7 01:12:03 gateway kernel: IPv6: ADDRCONF(NETDEV_CHANGE): ens35: link becomes ready
Mar 7 01:12:06 gateway kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
[root@gateway ~]# systemctl status firewall.service -l
● firewall.service - SYSV: ClearOS firewall
Loaded: loaded (/etc/rc.d/init.d/firewall)
Active: active (exited) since Mon 2016-03-07 01:12:10 EST; 2min 31s ago
Docs: man:systemd-sysv-generator(8)
Process: 3039 ExecStop=/etc/rc.d/init.d/firewall stop (code=exited, status=0/SUCCESS)
Process: 3059 ExecStart=/etc/rc.d/init.d/firewall start (code=exited, status=0/SUCCESS)
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Web proxy is online
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Enabled proxy+filter transparent mode for filter port: 8080
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Blocking proxy port 3128 to force users through content filter
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Running multipath
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Enabling NAT on WAN interface ens32
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Running user-defined outgoing block rules
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Running default forwarding rules
Mar 07 01:12:09 gateway.sindonihome.lan firewall[3076]: Execution time: 0.325s
Mar 07 01:12:10 gateway.sindonihome.lan firewall[3059]: Starting firewall: [ OK ]
Mar 07 01:12:10 gateway.sindonihome.lan systemd[1]: Started SYSV: ClearOS firewall.
[root@gateway ~]# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2016-03-07 01:11:57 EST; 3min 10s ago
Process: 697 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 658 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 771 (squid)
CGroup: /system.slice/squid.service
├─771 /usr/sbin/squid -f /etc/squid/squid.conf
├─779 (squid-1) -f /etc/squid/squid.conf
├─795 (ext_unix_group_acl) -p
├─801 (ext_unix_group_acl) -p
├─813 (ext_unix_group_acl) -p
├─830 (ext_unix_group_acl) -p
├─834 (ext_unix_group_acl) -p
└─860 (unlinkd)
Mar 07 01:11:57 gateway.sindonihome.lan systemd[1]: Starting Squid caching proxy...
Mar 07 01:11:57 gateway.sindonihome.lan systemd[1]: Started Squid caching proxy.
Mar 07 01:11:57 gateway.sindonihome.lan squid[771]: Squid Parent: will start 1 kids
Mar 07 01:11:57 gateway.sindonihome.lan squid[771]: Squid Parent: (squid-1) process 779 started
[root@gateway ~]# grep firewall /var/log/messages
Mar 7 00:39:17 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:39:17 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:39:18 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:39:18 localhost firewall6: Starting firewall6: [ OK ]
Mar 7 00:39:18 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:39:18 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:39:19 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:39:19 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:39:19 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:39:19 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:39:19 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:40:30 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:40:30 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:40:30 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:40:30 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:40:30 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:40:44 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:40:44 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:40:44 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:40:44 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:40:44 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:41:01 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:41:01 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:41:01 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:41:01 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:41:01 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:42:10 localhost yum[16431]: Updated: 1:app-firewall-core-2.2.0-1.v7.noarch
Mar 7 00:42:11 localhost yum[16431]: Updated: 1:app-firewall-2.2.0-1.v7.noarch
Mar 7 00:42:24 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:42:24 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:42:24 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:42:24 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:42:24 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:42:35 localhost systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:42:35 localhost firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:42:35 localhost systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:42:35 localhost firewall: Starting firewall: [ OK ]
Mar 7 00:42:35 localhost systemd: Started SYSV: ClearOS firewall.
Mar 7 00:45:27 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:45:28 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:45:28 gateway yum[18538]: Installed: 1:app-firewall-custom-core-2.1.6-1.v7.noarch
Mar 7 00:45:41 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:45:41 gateway firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:45:41 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:45:42 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:45:42 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:45:42 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:45:43 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:45:43 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:45:49 gateway yum[18538]: Installed: 1:app-firewall-custom-2.1.6-1.v7.noarch
Mar 7 00:49:24 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:49:25 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:49:26 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:49:26 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:49:26 gateway firewall: nat mangle filter
Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:49:26 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:49:26 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:49:26 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:50:11 gateway yum[27871]: Updated: firewalld-0.3.9-14.el7.noarch
Mar 7 00:50:20 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:50:20 gateway firewall: nat mangle filter
Mar 7 00:50:20 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:50:20 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:50:21 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:50:21 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:50:21 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:50:22 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:50:22 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:54:08 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:54:08 gateway firewall: nat mangle filter
Mar 7 00:54:08 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:54:08 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:54:08 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:54:08 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:55:04 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:55:04 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:55:05 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:55:05 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:55:05 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 00:55:05 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:55:05 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:55:07 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:55:07 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:55:07 gateway firewall: nat mangle filter
Mar 7 00:55:07 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:55:07 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:55:08 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:55:08 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:55:08 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:55:09 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:55:09 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:56:48 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:56:48 gateway firewall: nat mangle filter
Mar 7 00:56:48 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:56:48 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:56:48 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:56:48 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:57:47 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:57:47 gateway firewall: nat mangle filter
Mar 7 00:57:47 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:57:47 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:57:48 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:57:48 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:57:48 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:57:48 gateway firewall6: nat mangle filter
Mar 7 00:57:48 gateway firewall6: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:57:48 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:57:50 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 00:57:50 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:58:06 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:58:08 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:58:08 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 00:58:08 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 00:58:08 gateway firewall: nat mangle filter
Mar 7 00:58:08 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 00:58:08 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 00:58:09 gateway firewall: Starting firewall: [ OK ]
Mar 7 00:58:09 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 00:58:10 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:58:11 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 00:58:11 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 01:03:54 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:03:54 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:03:56 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 01:03:56 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:03:56 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:03:56 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:03:56 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:03:58 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 01:03:58 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 01:03:58 gateway firewall: nat mangle filter
Mar 7 01:03:58 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 01:03:58 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:03:59 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:03:59 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:03:59 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:04:00 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:04:00 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 01:10:14 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 01:10:14 gateway firewall: nat mangle filter
Mar 7 01:10:14 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 01:10:14 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:10:14 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:10:14 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:10:19 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 01:10:19 gateway firewall: nat mangle filter
Mar 7 01:10:19 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 01:10:19 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:10:19 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:10:19 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:12:05 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:12:05 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:12:07 gateway firewall6: Starting firewall6: [FAILED]
Mar 7 01:12:07 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:12:07 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:12:07 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:12:07 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:12:09 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Mar 7 01:12:09 gateway systemd: Stopping SYSV: ClearOS firewall...
Mar 7 01:12:09 gateway firewall: nat mangle filter
Mar 7 01:12:09 gateway firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 01:12:09 gateway systemd: Starting SYSV: ClearOS firewall...
Mar 7 01:12:10 gateway firewall: Starting firewall: [ OK ]
Mar 7 01:12:10 gateway systemd: Started SYSV: ClearOS firewall.
Mar 7 01:12:10 gateway systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:12:11 gateway systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Mar 7 01:12:11 gateway systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
I tried my best to disable IPv6. I followed the guide, but firewall6 continued to fail. I went as far as reinstalling everything. Even without restoring my backup, it still failed (and continues to). I'm kind of at a loss here. I'd also like to add I have paid subscriptions to IDS and Content Filter Blacklists. I am using dansguardian with the ClearOS subscription. -
Accepted Answer
Did you really disable ipv6? Use netstat -nlp | egrep 'tcp6|udp6' to check... An example :-
[root@sandra ~]# netstat -nlp | egrep 'tcp6|udp6'
tcp6 0 0 :::110 :::* LISTEN 2928/cyrus-master
tcp6 0 0 :::143 :::* LISTEN 2928/cyrus-master
tcp6 0 0 :::80 :::* LISTEN 638/httpd
tcp6 0 0 :::81 :::* LISTEN 729/webconfig
tcp6 0 0 :::82 :::* LISTEN 729/webconfig
tcp6 0 0 :::83 :::* LISTEN 729/webconfig
tcp6 0 0 :::22 :::* LISTEN 647/sshd
tcp6 0 0 ::1:3128 :::* LISTEN 760/(squid-1)
tcp6 0 0 :::443 :::* LISTEN 638/httpd
udp6 0 0 ::1:323 :::* 648/chronyd
udp6 0 0 :::37318 :::* 760/(squid-1)
[root@sandra ~]#
Note that squid is there...
and
[core]
[root@sandra ~]# egrep 'IPv6:|ip6_tables' /var/log/messages
...
Mar 7 14:39:24 sandra kernel: IPv6: ADDRCONF(NETDEV_UP): enp0s10: link is not ready
Mar 7 14:39:27 sandra kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp0s10: link becomes ready
Mar 7 14:39:28 sandra kernel: IPv6: ADDRCONF(NETDEV_UP): enp0s14: link is not ready
Mar 7 14:39:29 sandra kernel: IPv6: ADDRCONF(NETDEV_CHANGE): enp0s14: link becomes ready
Mar 7 14:39:31 sandra kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
[root@sandra ~]#
[/code]
What is your result? I found I couldn't disable ipv6 completely for some reason
I installed the newer kernel, ipv6 NOT disabled, and got this with squid in non-transparent mode...
[root@sandra ~]# systemctl status firewall.service
● firewall.service - SYSV: ClearOS firewall
Loaded: loaded (/etc/rc.d/init.d/firewall)
Active: active (exited) since Mon 2016-03-07 16:14:40 AEDT; 2min 19s ago
Docs: man:systemd-sysv-generator(8)
Process: 3415 ExecStop=/etc/rc.d/init.d/firewall stop (code=exited, status=0/SUCCESS)
Process: 3435 ExecStart=/etc/rc.d/init.d/firewall start (code=exited, status=0/SUCCESS)
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Running user-defined proxy rules
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Content filter is offline
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Web proxy is online
Mar 07 16:14:40 sandra.sraellis.com firewall[3452]: Running multipath
Mar 07 16:14:40 sandra.sraellis.com firewall[3531]: Running post-firewall 20720
Mar 07 16:14:40 sandra.sraellis.com firewall[3532]: Running /etc/clearos/firewall.d/local
Mar 07 16:14:40 sandra.sraellis.com firewall[3533]: # This script is run after every firewall restart. Add custom rules here.
Mar 07 16:14:40 sandra.sraellis.com firewall[3539]: Running /etc/clearos/firewall.d/10-intrusion-prevention
Mar 07 16:14:40 sandra.sraellis.com firewall[3435]: Starting firewall: [ OK ]
Mar 07 16:14:40 sandra.sraellis.com systemd[1]: Started SYSV: ClearOS firewall.
[root@sandra ~]#
[root@sandra ~]# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2016-03-07 16:14:19 AEDT; 3min 5s ago
Process: 736 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 667 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 804 (squid)
CGroup: /system.slice/squid.service
├─804 /usr/sbin/squid -f /etc/squid/squid.conf
├─806 (squid-1) -f /etc/squid/squid.conf
├─866 (ext_unix_group_acl) -p
├─867 (ext_unix_group_acl) -p
├─868 (ext_unix_group_acl) -p
├─869 (ext_unix_group_acl) -p
├─870 (ext_unix_group_acl) -p
└─933 (unlinkd)
Mar 07 16:14:18 sandra.sraellis.com systemd[1]: Starting Squid caching proxy...
Mar 07 16:14:19 sandra.sraellis.com squid[804]: Squid Parent: will start 1 kids
Mar 07 16:14:19 sandra.sraellis.com squid[804]: Squid Parent: (squid-1) process 806 started
Mar 07 16:14:19 sandra.sraellis.com systemd[1]: Started Squid caching proxy.
[root@sandra ~]# grep firewall /var/log/messages
...
Mar 7 16:14:27 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:27 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:30 sandra firewall: Starting firewall: [ OK ]
Mar 7 16:14:30 sandra firewall6: Starting firewall6: [ OK ]
Mar 7 16:14:30 sandra systemd: Started SYSV: ClearOS firewall.
Mar 7 16:14:30 sandra systemd: Started SYSV: ClearOS firewall.
Mar 7 16:14:39 sandra systemd: Stopping SYSV: ClearOS firewall...
Mar 7 16:14:39 sandra firewall: nat mangle filter
Mar 7 16:14:39 sandra firewall: [ OK ]#015[ OK ]#015Resetting built-in chains to the default ACCEPT policy:[ OK ]
Mar 7 16:14:39 sandra systemd: Starting SYSV: ClearOS firewall...
Mar 7 16:14:40 sandra firewall: Starting firewall: [ OK ]
Mar 7 16:14:40 sandra systemd: Started SYSV: ClearOS firewall.
[root@sandra ~]#
checked in transparent mode - still OK.
Well almost... in either mode without restarting the squid service, it doesn't listen on the ipv4 interface, which a "systemctl restart squid.service" fixes. have the same problem with webconfig as reported else-where.
Are you using the Content Filter? What do you see different to mine with these commands? -
Accepted Answer
Tony Ellis wrote:
Well, I cannot predict if it will solve your problem or not. It did for someone else. Why don't your try it? The only thing you will loose is the time it takes and you can always go back to your present one. When the machine first boots just move the highlighted line down to the older kernel and hit enter... The directions are on the screen.
I tried the alternate kernel. It's still entering panic mode. -
Accepted Answer
Well, I cannot predict if it will solve your problem or not. It did for someone else. Why don't your try it? The only thing you will loose is the time it takes and you can always go back to your present one. When the machine first boots just move the highlighted line down to the older kernel and hit enter... The directions are on the screen. -
Accepted Answer
Tony Ellis wrote:
Which kernel are you running? Hint: "uname -r"
See also this append :-
https://www.clearos.com/clearfoundation/social/community/firewall-in-panic-mode-after-restart
Just done a test install of ClearOS 7.2 and running kernel "3.10.0-229.7.2.v7.x86_64" and proxy with no panic...
3.10.0-327.3.1.el7.x86_64 is the version of my kernel. Should I somehow switch them? -
Accepted Answer
Which kernel are you running? Hint: "uname -r"
See also this append :-
https://www.clearos.com/clearfoundation/social/community/firewall-in-panic-mode-after-restart
Just done a test install of ClearOS 7.2 and running kernel "3.10.0-229.7.2.v7.x86_64" and proxy with no panic... -
Accepted Answer
-
Accepted Answer
This was happening to me on a fresh install of ClearOS 7. Every single restart with the proxy server enabled showed the firewall entering panic mode in the log.
Then I checked Software Updates (even though I did before and thought I was updated), and there was a huge number of updates available to download. I downloaded them, rebooted, and this error no longer occurs. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »