Firewall Module - constantly restarting (OpenVZ)

Infinit0s · April 29, 2020, 10:08pm

Hello everyone,

As per the title, I am having issues with the Firewall module on my FreePBX installation. It keeps on crashing, yet the Dashboard shows the status of Firewall as ‘online’

The log file in /tmp/ shows the following error message:

rfw rule 3 not valid (Is '-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j fpbxattacker', should start with '-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource')
THIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.
1588197287: Wall: 'Firewall Rules corrupted! Restarting in 5 seconds
More information available in /tmp/firewall.log
' returned 0
Redirecting to /bin/systemctl stop fail2ban.service
Starting firewall.
1588197305: Monitoring parent (voipfirewalld) died. Shutting down!

I can see that most likely this fails because of the ‘error’ message up in the log which reads:

1588197251: /sbin/ip6tables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 86400 --hitcount 200 --name REPEAT --rsource -j fpbxattacker
ip6tables: Invalid argument. Run `dmesg' for more information.
1588197251: /sbin/iptables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 86400 --hitcount 200 --name REPEAT --rsource -j fpbxattacker
iptables: Invalid argument. Run `dmesg' for more information.
1588197251: /sbin/ip6tables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 300 --hitcount 100 --name REPEAT --rsource -j fpbxattacker
ip6tables: Invalid argument. Run `dmesg' for more information.
1588197251: /sbin/iptables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 300 --hitcount 100 --name REPEAT --rsource -j fpbxattacker
iptables: Invalid argument. Run `dmesg' for more information.
1588197251: /sbin/ip6tables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 60 --hitcount 50 --name REPEAT --rsource -j fpbxshortblock
ip6tables: Invalid argument. Run `dmesg' for more information.
1588197251: /sbin/iptables -w5 -W10000 -A fpbxratelimit -m recent --rcheck --seconds 60 --hitcount 50 --name REPEAT --rsource -j fpbxshortblock
iptables: Invalid argument. Run `dmesg' for more information.

I have been doing some digging to ensure that everything is installed/enabled.

Iptables version:
[root]# iptables --version
iptables v1.4.21

ipt_recent or xt_recent loaded:
[root]# lsmod | grep xt_recent
xt_recent 4242 -2

FreePBX version:
FreePBX 15.0.16.49

Linux version:
[root]# cat /etc/os-release
NAME=“CentOS Linux”
VERSION=“7 (Core)”
ID=“centos”
ID_LIKE=“rhel fedora”
VERSION_ID=“7”
PRETTY_NAME=“CentOS Linux 7 (Core)”
ANSI_COLOR=“0;31”

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Kernel version:
[root]# uname -r
3.10.0

The system runs on OpenVZ 7.

Unfortunately, I have run out of ideas on what could cause this - is it a bug?

Thanks for looking!
Maciej

lgaetz · April 29, 2020, 10:28pm

Firewall does not support OpenVZ. I’m on mobile so you can search for other threads for more details if you need them.

Infinit0s · April 30, 2020, 2:29pm

Right… I see - is there a reason to it? I mean the required modules and kernels are there? Or it can be made to work only its not official/supported way

Thanks!

lgaetz · April 30, 2020, 2:31pm

I think knowing that the creator(s) of the module telling you it’s not supported should be enough. A firewall is too critical to rely on hacking and prayer.

dicko · April 30, 2020, 3:04pm

OpenVZ doesnt have control over the network stack needed. It remains with the underlying kernel

Infinit0s · May 1, 2020, 2:09pm

Hi Dicko,

Thank you - that makes sense.

@lgaetz - well it would have been better if you actually said what Dicko has. Saying thats it not supported but not giving any reason to it does make one wonder that it may not be officially supported but its possible to actually get it to work.

Speaking of it - are there any plans to somehow make it work with OpenVZ system in the future? or everything is down to the OpenVZ architecture changing the way it allows containers to handle net traffic?

Thanks!

lgaetz · May 1, 2020, 7:19pm

I don’t believe that the dev staff will be devoting any resources to this. There have been past requests in the issue tracker marked as ‘patches welcome’. If the community codes a fix, it could be accepted into the module.

system · June 1, 2020, 7:19pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.