Shorewall slows down shuttdown

cronopio · August 19, 2015, 1:53pm

in our office, we shutt down and physically disconnect the PCs to prevent damage from electrical storms. lately I’ve noticed that the shutdown of nethserver take more than seven minutes. Observing the messages during shutdown, I have noticed that the longer delay elapses with the message: “Shutting down Shorewall”; It takes longer than the suspension of a virtual machine…
Is there any way to improve this?
It is associated with the following message displayed during startup?:

Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed e[60G[e[0;32m OK e[0;39m]

filippo_carletti · August 19, 2015, 2:00pm

When the system is running, run:

service shorewall status

and paste here the output.
I suspect that shorewall is not running.

cronopio · August 19, 2015, 2:04pm

[root@neth ~]# service shorewall status

Shorewall-4.6.4.3 Status at nethserver.local - Wed Aug 19 10:03:24 CDT 2015

Shorewall is running
State:Started (Wed Aug 19 07:59:08 CDT 2015) from /etc/shorewall/ (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.4.3)

filippo_carletti · August 19, 2015, 2:07pm

If you can do a test, run service shorewall stop to see how long it takes. Warning: it will break service.
Then use service shorewall start to restore functions.
If stop is quick, there should be something at shutdown that is different, maybe an external dns server not reachable.

cronopio · August 19, 2015, 2:11pm

cronopio · August 19, 2015, 2:27pm

service shorewall stop

Tooks one second…
anyway I had already tried before.
With the service stopped shutdown normally occurs.
regarding the DNS … I must run a test.
as I have stated in the dashboard the IP address of a DNS running as a virtual machine inside nethserver, that of course goes down before shorewall.
If the problem is solved by removing that IP, it means that I can not put a DNS not available if I want Nethserver quickly shut itself off.?
Any ideas for the boot up message: Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed [60G[[0;32m OK [0;39m]
I have googled: Stale lockfile /var/lib/shorewall/lock
and some post regarding shorwall issues appeared…now i’m reading

filippo_carletti · August 19, 2015, 2:41pm

Tonight, try using a public dns, like google’s 8.8.8.8.
If and when we know the source of the problem, we’ll find a solution.

cronopio · August 19, 2015, 3:14pm

done with 8.8.8.8
the same delay 4 minutes (almost 5!!) Shutting Down Shorewall
the only difference is that I have no:

Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed [60G[[0;32m OK [0;39m]

message at startup

Nas · August 19, 2015, 5:04pm

Are you using Virt-Managemetn? how many virt-mashines there ? Shorewall wait to stop all connections and if you are using NFS share it may be some issue, while unmount nfs…

cronopio · August 19, 2015, 5:08pm

no NFS shares.
Yes webvirtmgr, one virtual machine, but is the first thing that stops at shutting down Nethserver. And it stops gracefully fast (suspend)

cronopio · August 19, 2015, 5:26pm

I implemented an “external” solution to shutdown my nethserver: I run a script from another PC with plink (It comes with putty):

service shorewall stop
shutdown -h now

Nas · August 19, 2015, 5:26pm

Valid levels are:

7 - debug (Debug-level messages)
6 - info (Informational)
5 - notice (Normal but significant Condition)
4 - warning (Warning Condition)
3 - err (Error Condition)
2 - crit (Critical Conditions)
1 - alert (must be handled immediately)
0 - emerg (System is unusable)

/etc/shorewall/shorewall.conf

edit LOG to 7
run service shorewall restart
and try to shutdown

alefattorini · August 19, 2015, 9:58pm

I moved 2 posts to a new topic: How to fight the incredible amount of spam?

cronopio · August 20, 2015, 6:58pm

wich?

###############################################################################
#                               L O G G I N G
###############################################################################

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/firewall.log

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

UNTRACKED_LOG_LEVEL=

#############################################################################

Nas · August 20, 2015, 8:59pm

Verbosity

cronopio · August 21, 2015, 1:01pm

Got an error:

[root@neth ~]# vi /etc/shorewall/shorewall.conf
[root@neth ~]# service shorewall restart
Restarting shorewall:    ERROR: Invalid LOG_VERBOSITY (7)
                                                           [FAILED]

also with:

[root@neth ~]# vi /etc/shorewall/shorewall.conf
[root@neth ~]# service shorewall restart
Restarting shorewall:    ERROR: Invalid VERBOSITY setting (7)
                                                           [FAILED]

Nas · August 21, 2015, 2:27pm

try to make 2

cronopio · August 21, 2015, 4:10pm

Restoring /etc/shorewall/shorewall.conf numbers… cause system instability, now when shuting down i get:

Shutting down Shorewall: udevd[591]: worker [2892}] unexpectedly returned with status 0x0100 udev[591]: worker [2892] failed while handling '/devices/virtual/misc/kvm'

Nas · August 21, 2015, 5:13pm

You can restore shorewall by signal-event firewall-adjust

Nas · August 21, 2015, 5:14pm

And it is better then silent