Shorewall slows down shuttdown

firewall

(luisr) #1

in our office, we shutt down and physically disconnect the PCs to prevent damage from electrical storms. lately I’ve noticed that the shutdown of nethserver take more than seven minutes. Observing the messages during shutdown, I have noticed that the longer delay elapses with the message: “Shutting down Shorewall”; It takes longer than the suspension of a virtual machine…
Is there any way to improve this?
It is associated with the following message displayed during startup?:

Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed e[60G[e[0;32m OK e[0;39m]

(Filippo Carletti) #2

When the system is running, run:

service shorewall status

and paste here the output.
I suspect that shorewall is not running.


(luisr) #3
[root@neth ~]# service shorewall status

Shorewall-4.6.4.3 Status at nethserver.local - Wed Aug 19 10:03:24 CDT 2015

Shorewall is running
State:Started (Wed Aug 19 07:59:08 CDT 2015) from /etc/shorewall/ (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.4.3)


(Filippo Carletti) #4

If you can do a test, run service shorewall stop to see how long it takes. Warning: it will break service.
Then use service shorewall start to restore functions.
If stop is quick, there should be something at shutdown that is different, maybe an external dns server not reachable.


(luisr) #5


(luisr) #6
service shorewall stop

Tooks one second…
anyway I had already tried before.
With the service stopped shutdown normally occurs.
regarding the DNS … I must run a test.
as I have stated in the dashboard the IP address of a DNS running as a virtual machine inside nethserver, that of course goes down before shorewall.
If the problem is solved by removing that IP, it means that I can not put a DNS not available if I want Nethserver quickly shut itself off.? :fearful:
Any ideas for the boot up message: Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed [60G[[0;32m OK [0;39m]
I have googled: Stale lockfile /var/lib/shorewall/lock
and some post regarding shorwall issues appeared…now i’m reading


(Filippo Carletti) #7

Tonight, try using a public dns, like google’s 8.8.8.8.
If and when we know the source of the problem, we’ll find a solution.


(luisr) #8

done with 8.8.8.8
the same delay 4 minutes (almost 5!!) Shutting Down Shorewall
the only difference is that I have no:

Starting shorewall: WARNING: Stale lockfile /var/lib/shorewall/lock from pid 12874 removed [60G[[0;32m OK [0;39m]

message at startup


(Artem Fedai) #9

Are you using Virt-Managemetn? how many virt-mashines there ? Shorewall wait to stop all connections and if you are using NFS share it may be some issue, while unmount nfs…


(luisr) #10
  • no NFS shares.
  • Yes webvirtmgr, one virtual machine, but is the first thing that stops at shutting down Nethserver. And it stops gracefully fast (suspend)

(luisr) #11

I implemented an “external” solution to shutdown my nethserver: I run a script from another PC with plink (It comes with putty):

service shorewall stop
shutdown -h now

(Artem Fedai) #12

Valid levels are:

7 - debug (Debug-level messages)
6 - info (Informational)
5 - notice (Normal but significant Condition)
4 - warning (Warning Condition)
3 - err (Error Condition)
2 - crit (Critical Conditions)
1 - alert (must be handled immediately)
0 - emerg (System is unusable)

/etc/shorewall/shorewall.conf

edit LOG to 7
run service shorewall restart
and try to shutdown


(Alessio Fattorini) #13

I moved 2 posts to a new topic: How to fight the incredible amount of spam?


How to fight the incredible amount of spam?
(luisr) #14

wich?

###############################################################################
#                               L O G G I N G
###############################################################################

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/firewall.log

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

UNTRACKED_LOG_LEVEL=

#############################################################################

(Artem Fedai) #15

Verbosity


(luisr) #16

Got an error:

[root@neth ~]# vi /etc/shorewall/shorewall.conf
[root@neth ~]# service shorewall restart
Restarting shorewall:    ERROR: Invalid LOG_VERBOSITY (7)
                                                           [FAILED]

also with:

[root@neth ~]# vi /etc/shorewall/shorewall.conf
[root@neth ~]# service shorewall restart
Restarting shorewall:    ERROR: Invalid VERBOSITY setting (7)
                                                           [FAILED]

(Artem Fedai) #17

try to make 2


(luisr) #18

Restoring /etc/shorewall/shorewall.conf numbers… cause system instability, now when shuting down i get:

Shutting down Shorewall: udevd[591]: worker [2892}] unexpectedly returned with status 0x0100 udev[591]: worker [2892] failed while handling '/devices/virtual/misc/kvm'

(Artem Fedai) #19

You can restore shorewall by signal-event firewall-adjust


(Artem Fedai) #20

And it is better then silent