Firewall keeps dropping, how to find in logs

freepbx
Tags: #<Tag:0x00007f70267ca6f8>

#1

My firewall keeps going down and I don’t know where in the logs to look for this (nor which log). I didn’t see it in “full”. Basically, I cleverly have fail2ban running and it starts sending me hundreds of emails when the firewall drops, so I have an idea of when it happened by the date/time on the fail2ban messages. Just need some preliminary diagnostic help.

FreePBX 15.0.16.73
Current Asterisk Version: 16.11.1


(Sergio Lobera) #2

Hi ! Did you try to reinstall or upgrade firewall module ?
Try this on your CLI (ssh)

fwconsole ma downloadinstall firewall --tag 15.0.6.26


#3

I’ll give it a try. It has dropped once since I put that message here. Thanks.

I’ll watch to see if it behaves itself. I’m assuming I don’t have something turned up enough in the log, because I could never find any indication about why or where it actually dropped.


#4

Nope, it went down again at about 3:15am


#5

Upgrade both firewall and certman to the current edge modules:

fwconsole ma --edge upgrade firewall certman 

Wait one minute and make sure firewall is active after install, then run:

fwconsole certificates --updateall

And check to make sure the firewall is still active afterwards.

Please report back regardless of success.


(Sergio Lobera) #6

Try with yum update to see if you have some packages available for updates.


#7

Now that I have time for more than a drive by response…

As mentioned in this partial list of forum posts LetsEncrypt certificate updates have broken the firewall horribly since the June 8th blog post.

There had been a couple of failed attempts to fix this, and the current stable versions firewall 15.0.6.20 and certman 15.0.25.3 are still broken.

The edge versions(firewall 15.0.6.29/certman 15.0.32) accept my fix. Both firewall and certman need to be updated.

I’ll be the first to call for more real world testing. The approach is enough of a departure it warrants community acceptance (or rejection) before being promoted to stable.

I also submitted a second round of improvements I think should be adopted before promoting to stable to allow for disabling all “automatic” LetsEncrypt rules.

Discussion is spread among multiple jira tickets making it difficult to follow, but if anyone cares:
https://issues.freepbx.org/browse/FREEPBX-21683
https://issues.freepbx.org/browse/FREEPBX-21734
https://issues.freepbx.org/browse/FREEPBX-21812
https://issues.freepbx.org/browse/FREEPBX-21822


#8

I’ll read through the issues, I added the edge fix and ran both yum update and fwconsole ma upgradeall afterwards.

BTW, the last failure was before I did the edge update of the firewall.

I have made sure that the firewall is still up, now I’ll wait to see if it still behaves.


#9

BTW, I confirmed in Module Admin that I have the 15.0.6.29 System Firewall Module installed.


#10

Just for thoroughness, to tie this back to the certman issue, please report output of:

su asterisk -c 'crontab -l'

I would expect to see /usr/sbin/fwconsole certificates --updateall -q scheduled shortly before the 3:15 time.


(system) closed #11

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.