Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-21683

fwconsole certificate update error silently shuts down firewall module

    XMLWordPrintable

    Details

    • Bug Tracker:
      Customer Issue
    • ToDo:
    • Asterisk Version:
      13.32.0
    • Distro Version:
      14.0.13.37
    • Distro:
      FreePBX Distro
    • Module Fix Version:

      Description

      Summary: certificate renewal via system cronjob has an error/crash which then generates a incrond command (firewall.stopfirewall) - this unloads all iptables related kernel modules, and the freepbx firewall module. Secondary effect of iptables kernal module unloads is that it breaks fail2ban, along with the system cron 15min firewall reload check as fail2ban is now offline.

      Primary fix: don't unload kernel modules. Secondary fix: why is certificate renewal touching the firewall module anyways??

      -= Walkthrough:
      -= Pre exec:
      [root@xyz ~]# ps -elf | grep voipfirewalld
      4 S root 1986 1 0 80 0 - 100114 do_sig 17:10 ? 00:00:01 php /var/www/html/admin/modules/firewall/hooks/voipfirewalld
      1 S root 2166 1986 0 80 0 - 100050 poll_s 17:10 ? 00:00:00 voipfirewalld (Monitor thread)

      -= exec: fwconsole
      [root@xyz ~]# /usr/local/sbin/fwconsole certificates --updateall
      Certificate named "default" is valid
      There was an error updating certificate "xyz.valid.hostname": REMOTE_ADDR didn't parse -
      [root@xyz ~]#
      -= (note: xyz.valid.hostname is a valid certificate that's been issued by LetsEncrypt, but up for renewal, but not expired)

      -= /var/log/cron entries that then appear:
      Jul 11 17:42:49 xyz incrond[383]: (system::sysadmin) CMD (/usr/bin/sysadmin_manager firewall.stopfirewall)
      Jul 11 17:42:49 xyz sysadmin-hook[7287]: sysadmin hook started - ["\/usr\/bin\/sysadmin_manager","firewall.stopfirewall"]
      Jul 11 17:42:49 xyz sysadmin-hook[7287]: Security check passed. Running '/var/www/html/admin/modules/firewall/hooks/stopfirewall '
      -=

      -= Post exec: (nothing as stopfirewall was called)
      [root@xyz ~]# ps -elf | grep voipfirewalld
      [root@xyz ~]#
      -=

      In addition, the FreePBX administration menu (Connectivity -> Firewall) reports the firewall module is not enabled. Selecting "enable" does restore functionality.

      fail2ban at this point returns errorcode 100 when attempting to manipulate entries (ie: ban/unban an IP). Error code 100 generally means the relevant kernel modules have been unloaded.

      Kernel modules when no firewall module:
      -=
      [root@xyz log]# cat /proc/net/ip_tables_matches
      multiport
      icmp
      udplite
      udp
      tcp
      -=

      -= with firewall module:
      [root@xyz log]# cat /proc/net/ip_tables_matches
      mark
      pkttype
      conntrack
      conntrack
      conntrack
      recent
      recent
      icmp
      udplite
      udp
      tcp
      -=

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jphilip Philip Joseph
                  Reporter:
                  roscoe roscoe
                • Votes:
                  4 Vote for this issue
                  Watchers:
                  14 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    NextupJiraPlusStatus

                    Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.