VectorLinuxThis forum is for the discussion of VectorLinux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, sorry, I realized the problem does not lie in the rpc, it is in fact the firewall:
the command service firewall stop causes a non terminate feedback:
And it just doesnt respond afterwards, this command is in the script /etc/rc.d/rc.firewall and is called upon shutdown and reboot, which freezes the computer.
Thanks,
Ted
Last edited by ted_chou12; 08-13-2012 at 12:09 PM.
Reason: Actual problem
From your debug script it's not clear why it halts execution and what it iterates over so I've asked this thread to be moved to the LQ VL forum so somebody using VL can help you with it.
Here is my /etc/rc.d/rc.firewall with its configuration give, I don't know if it my be useful for debugging:
Code:
#!/bin/sh
## /etc/rc.d/rc.firewall
## Setup the firewall system before any network services is up.
## VASM's vfirewall modifies this script !!!
##
## This script will find and start firewall in the following order
## - user specified FIREWALL_SCRIPT variable
## - GuardDog (/etc/rc.firewall and /etc/rc.guidedog)
## - gShield (/etc/firewall/gShield.rc)
## - Firewall-Jay (/etc/firewall-jay/fw-jay)
## - the default VL firewall
##
## The default VL firewall is suitable for a workstation that allows:
## - all outputs from this machine
## - some inputs to this machine (domain, ssh, http)
## - optional ipmasquerading
##
## To enable ipmasquerading, specify the GREEN_NET.
## This machine should work as a gateway with the following configuration
##
## {RED}-----[gateway]------{GREEN}
##
## RED = The Internet
## GREEN = Your Intranet
##
## This firewall uses network address based rules.
## Therefore it is independent to interface, and easier to debug.
## Sufficient for home use, serving some casual clients.
## Not for a serious office !!!
## You cannot sue me for whatever reason regarding this script :P.
##
## GNU GPL (c) Eko M. Budi, 2004
## (c) Vector Linux, 2004
## If you have another script, tell it here
## For example, /etc/rc.firewall
FIREWALL_SCRIPT=""
## This is the default VL firewall settings
## The Network you want to protect.
## If specified, forwarding will be allowed.
## It the network is internal, masquerading will be turned on
## Empty means no forwarding/masquerading.
GREEN_NET=""
#GREEN_NET="192.168.0.0/255.255.255.0"
#GREEN_NET="172.16.0.0/255.255.0.0"
#GREEN_NET="10.0.0.0/255.0.0.0"
## The open ports of THIS host.
## see /etc/services for ports definition
## list the ports, space separated. ALL means all ports.
PORT_IN="ALL"
#PORT_IN="domain ssh http https ftp ftp-data"
ICMP_IN="ALL"
#ICMP_IN="0 3 8 11"
## The traffic that can come out from this machine.
## You may protect it if you are curious there is trojan in your machine.
## list the ports, space separated. ALL allows everything.
PORT_OUT="ALL"
#PORT_OUT="domain http https pop3 pop3s imap ssh ftp ftp-data irc"
## The traffic that can pass from GREEN the RED network (internet).
## list the ports, space separated. ALL allows everything.
PORT_FORWARD="ALL"
#PORT_FORWARD="domain http https pop3 pop3s imap ssh ftp ftp-data irc"
ICMP_FORWARD="ALL"
#ICMP_FORWARD="3 8 11"
########################################################################
# Do the business ...
. /etc/rc.d/functions
## If this configuration file exist, read it
if [ -r /etc/sysconfig/config/firewall.conf ]; then
. /etc/sysconfig/config/firewall.conf
fi
########################################################################
# here we go now
IPT="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"
## load modules
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
# Check if a net is an internal network
is_internal()
{
IPADDR=$(echo $1 | cut -f 1 -d /)
NET=$(ipmask 255.255.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "192.168.0.0" ] && return
NET=$(ipmask 255.240.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "172.16.0.0" ] && return
NET=$(ipmask 255.0.0.0 $IPADDR | cut -f 2 -d ' ')
[ "$NET" = "10.0.0.0" ] && return
false
}
# STANDARD RULES
firewall_basic()
{
# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Enabling ping of death protection
# $IPT -A INPUT -p icmp --icmp-type echo-request -m limit ! --limit 1/s -j DROP
# Enabling Syn flood protection
#$IPT -A INPUT -p tcp --syn -m limit ! --limit 1/s -j DROP
# Enabling Furtive port scanner protection
#$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ! --limit 1/s -j DROP
}
firewall_flush()
{
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
}
## This is really open everything, except IP forwarding
firewall_clear()
{
## Disable IP forwarding
echo "0" > /proc/sys/net/ipv4/ip_forward
## Accept all for default
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
firewall_flush
}
# Rules for allowing traffic from the GREEN to the RED network
firewall_forward()
{
## if no green net, turn off forwarding
if [ -z "$GREEN_NET" ]; then
echo "0" > /proc/sys/net/ipv4/ip_forward
$IPT -P FORWARD DROP
return 0
fi
## Turn ON masquerade automatically
## People said that we should use SNAT for static IP
## But masquerade will do no harm
if is_internal $GREEN_NET; then
$IPT -t nat -A POSTROUTING -s $GREEN_NET -d ! $GREEN_NET -j MASQUERADE
fi
## if everything is ALL, just turn ON the FORWARD
if [ "$PORT_FORWARD" = "ALL" ] && [ "$ICMP_FORWARD" = "ALL" ]; then
$IPT -P FORWARD ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
return 0
fi
## ok, complicated settings are needed
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -f -j ACCEPT
if [ "$PORT_FORWARD" != "ALL" ]; then
for PORT in $PORT_FORWARD; do
$IPT -A FORWARD -s $GREEN_NET -p udp --dport $PORT -j ACCEPT
$IPT -A FORWARD -s $GREEN_NET -p tcp --dport $PORT -j ACCEPT
done
else
$IPT -A FORWARD -s $GREEN_NET -p tcp -j ACCEPT
$IPT -A FORWARD -s $GREEN_NET -p udp -j ACCEPT
fi
if [ "$ICMP_FORWARD" != "ALL" ]; then
for TYPE in $ICMP_FORWARD; do
$IPT -A FORWARD -s $GREEN_NET -p icmp --icmp-type $TYPE -j ACCEPT
done
else
$IPT -A FORWARD -s $GREEN_NET -p icmp -j ACCEPT
fi
$IPT -P FORWARD DROP
echo "1" > /proc/sys/net/ipv4/ip_forward
}
# Rules for accepting input to this gateway
firewall_input()
{
## if ALL, open the default. Save rules and faster !
if [ "$PORT_IN" = "ALL" ] && [ "$ICMP_IN" = "ALL" ]; then
$IPT -P INPUT ACCEPT
return 0
fi
## Set a secure input
$IPT -A INPUT -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -f -j ACCEPT
## Allow some ports
if [ "$PORT_IN" != "ALL" ]; then
for PORT in $PORT_IN ; do
$IPT -A INPUT -p udp --dport $PORT -j ACCEPT
$IPT -A INPUT -p tcp --dport $PORT -j ACCEPT
done
else
$IPT -A INPUT -p udp -j ACCEPT
$IPT -A INPUT -p tcp -j ACCEPT
fi
## Allow ICMPs
if [ "$ICMP_IN" != "ALL" ]; then
for TYPE in $ICMP_IN ; do
$IPT -A INPUT -p icmp --icmp-type $TYPE -j ACCEPT
done
else
$IPT -A INPUT -p icmp -j ACCEPT
fi
## Drop everything else
$IPT -P INPUT DROP
}
# Rules for allowing OUTPUT traffic from this machine
firewall_output()
{
## if ALL, open the default. Save rules and faster !
if [ "$PORT_OUT" = "ALL" ]; then
$IPT -P OUTPUT ACCEPT
return 0
fi
## Hmmm ... the admin does not believe his own computer
## But let's the internal output
$IPT -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
## allow all ICMPs from this host (is it secure enough ?)
$IPT -A OUTPUT -p icmp -j ACCEPT
## allow some ports
for PORT in $PORT_OUT; do
$IPT -A OUTPUT -p udp --dport $PORT -j ACCEPT
$IPT -A OUTPUT -p tcp --dport $PORT -j ACCEPT
done
## Drop everything else by default
$IPT -P OUTPUT DROP
}
###################################################################
## Main routines
firewall_start() {
## launch the specified one
if [ "$FIREWALL_SCRIPT" ] && [ -x $FIREWALL_SCRIPT ]; then
echo "Starting firewall $FIREWALL_SCRIPT ..."
$FIREWALL_SCRIPT start
return $?
fi
## if exist, start the new default firewall service
if [ ! x$service_firewall = x ]; then
if [ -x $service_firewall ]; then
if [ ! -x $rc_firewall ]; then
chmod +x $rc_firewall
fi
echo "Starting firewall service ..."
service firewall start
return $?
fi
fi
## if exist, start guarddog/guidedog firewall instead
## don't start guidedog if there is no guarddog
if [ -x /etc/rc.firewall ]; then
if [ -x /etc/rc.guidedog ]; then
echo "Starting guarddog and guidedog ..."
/etc/rc.firewall start && /etc/rc.guidedog start
else
echo "Starting guarddog ..."
/etc/rc.firewall start
fi
return $?
fi
## This is GShield
if [ -x /etc/firewall/gShield.rc ]; then
echo "Starting gshield firewall ..."
/etc/firewall/gShield.rc --start
return $?
fi
## This is firewall-jay
if [ -x /etc/firewall-jay/fw-jay ] && [ -f /etc/firewall-jay/firewall.config ]; then
echo "Starting firewall-jay ..."
/etc/firewall-jay/fw-jay start
return $?
fi
## the last contender ...default VASM firewall
echo "Starting default firewall ..."
firewall_basic
firewall_flush
firewall_input
firewall_output
firewall_forward
return 0
}
firewall_stop()
{
firewall_clear
return 0
}
case "$1" in
start)
firewall_start
;;
stop)
echo "Stopping firewall ..."
## if exist, stop the new default firewall service
if [ -x $service_firewall ]; then
# service firewall stop
echo "No, we are not going to stop firewall"
else
firewall_stop
fi
;;
restart)
echo "Restarting firewall ..."
## if exist, restart the new default firewall service
if [ -x $service_firewall ]; then
# service firewall restart
echo "No, we are not going to stop firewall"
else
## Restarting should not stop the firewall
## Since stopping opens the ports for a moment
firewall_start
fi
;;
reload)
echo "Reloading firewall ..."
## if exist, restart the new default firewall service
if [ -x $service_firewall ]; then
# service firewall restart
echo "No, we are not going to stop firewall"
else
firewall_start
fi
;;
status)
$IPT -nL
echo
$IPT -t nat -nL
;;
*)
echo "Usage $0 {start|stop|restart|reload|status}"
esac
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
