Forum

Unified Communications PBX System

Firewall error caus...
 
Notifications

Firewall error causes system to be unreachable at 00:01 intermittently on VPS  

  RSS

DannyLarsen
(@dannylarsen)
Estimable Member
Joined: 2 years ago
Posts: 151
13/02/2020 12:18 pm  

Version 2.4.0-5 and Version 2.4.0-3 

I am occasionally seeing VPS servers become unreachable just after midnight. After a restart thru the VPS provider console the problem goes away. In the logs I see this just before it becomes unreachable. 

Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Feb 13 00:01:01 ubsv1 systemd: Started Session 8122 of user root.
Feb 13 00:01:01 ubsv1 systemd: Starting Session 8122 of user root.
Feb 13 00:01:01 ubsv1 systemd: Started Session 8123 of user root.
Feb 13 00:01:01 ubsv1 systemd: Starting Session 8123 of user root.
Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed:
Feb 13 00:01:01 ubsv1 firewalld[475]: ERROR: '/usr/sbin/iptables-restore --wait=2 -n' failed:
Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: COMMAND_FAILED
Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed:
Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed:
Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed:
Feb 13 00:01:01 ubsv1 firewalld[475]: ERROR: COMMAND_FAILED
Feb 13 00:01:05 ubsv1 asterisk: [2020-02-13 00:01:05] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f21741039a0 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted
Feb 13 00:01:05 ubsv1 asterisk: [2020-02-13 00:01:05] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f2174060500 (len 523) to XXXXXXX.30:5060 returned -1: Operation not permitted
Feb 13 00:01:06 ubsv1 asterisk: [2020-02-13 00:01:06] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f21741039a0 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted
Feb 13 00:01:06 ubsv1 asterisk: [2020-02-13 00:01:06] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f2174060500 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted


Quote
mrivera
(@ing-joserivera26)
Developer Admin
Joined: 2 years ago
Posts: 2232
14/02/2020 7:31 pm  

Did you try to perform a full update? and then, restart?


ReplyQuote
giovanni.v
(@giovanni-v)
New Member
Joined: 2 months ago
Posts: 4
15/02/2020 2:30 am  
Posted by: @ing-joserivera26

Did you try to perform a full update?

I also seen the local firewall caused some troubles on system updates.

Yum update from console run and retrieve all packages going to be updated but then when downloading packages stops on large files, like kernel and so on because throughput drops down to zero afre a few seconds. System logs reports something seen as SIP packet flooding.

Disabling firewall from config ui doesn't solve the problem because doesn'r really disable the firewall. Stopping the firewalld daemon from console let the update transaction to terminate successfully.

Tested on 3 different fresh installs, 2 real and 1 virtual hardware, latest iso.


ReplyQuote
DannyLarsen
(@dannylarsen)
Estimable Member
Joined: 2 years ago
Posts: 151
18/02/2020 11:23 am  

Not sure what you are referring to as a Full Update, this server is on the latest version

This appears to be caused when this script runs /usr/share/ombutel/scripts/build_firewall_blacklists

Since the server becomes unreachable from anywhere but the vps console, If you do a restart it from the console it seems to solve the issue, at least for a reasonably long time.


ReplyQuote
mrivera
(@ing-joserivera26)
Developer Admin
Joined: 2 years ago
Posts: 2232
18/02/2020 11:31 am  

@dannylarsen

We're improving this, we will release a patch to fix this behavior. This script you mentioned is to update the database of common VoIP attackers, in this way, your PBX is protected from those bad guys.


PitzKey liked
ReplyQuote
DannyLarsen
(@dannylarsen)
Estimable Member
Joined: 2 years ago
Posts: 151
18/02/2020 3:49 pm  

Thank you very much !


ReplyQuote
Share: