Dear, we have not analyzed, why the pve-firewall has stop all the traffic, and nothing going on an bring all something down. We had one week stop of one host, why behind this, the operating center said, this is a hacking host! But their was nothing, but not normal traffic goes via wrong interfaces with MAC! Here is a small script for everywhere, to control the firewall and shut the firewall off, when the firewall blocks the host completly. This is better, why then you can login in the host and control the host, as you must reboot completly the host. Remember a cold reboot use possible hours, can create problems in disc-arrays and something on!
create a script in /root/scripte with name "firewall_control.sh" with this: #!/bin/bash # # IMPORTANT: check, that you have installed sendEmail or install with apt-get install sendEmail !!! # # # When your firewall was open and you have resolve the problem, stop the warnings via Log-Rotate: # # /usr/sbin/logrotate --force /etc/logrotate.conf # # (c) under GPL by Detlef Bracker, 1awww.com - 07.05.2015 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" tail -n 1000 /var/log/syslog | grep "error (host unreachable)" | wc -l > /var/log/firewall_defunc.cnt COUNTER=$(cat /var/log/firewall_defunc.cnt) if (( $COUNTER > 6 )); then pve-firewall stop cat firewall_defunc.cnt | sendEmail -f root@YOURHOSTNAME -t YOURMAILADDRESS -u "URGEND - YOURHOSTNAME FIREWALL STOPPED." fi ---- In last Line change YOURHOSTNAME / YOURMAILADDRESS Then make the script executable with chmod 700 /root/scripte/firewall_control.sh And create a cronjob: */1 * * * * /root/scripte/firewall_control.sh Check, that you find in syslog now that the script every minutes runs! The script now control every minute, that the host has errors to create connections to out! When it´s so, then you have a big big problem, but now the script helps you! When its so, they counter the last 1000 lines of your syslog and when the counter is greater then 6, they stop the pve-firewall and inform you as administrator, that the host has disabled the firewall and you must check urgend why! -- ACHTUNG: Ihr Anfragetext befindet sich unter unserem Absender! P.S. ePrivacy in Europa - lesen Sie mehr - read more <http://blog.1awww.com/2012/05/30/achtung-internet-seiten-betreiber-eprivacy-richtlinien-umzusetzen/> Mit freundlichen Gruessen 1awww.com - Internet-Service-Provider Detlef Bracker Velilla, Calle Club s/n, E 18690 Almunecar, Tel.: +34.6 343 232 61 * EU-VAT-ID: ESX4516542D This email and any files transmitted are confidential and intended only or the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Detlef Bracker. En caso de no ser usted la persona a la que fuera dirigido este mensaje y a pesar de ello está continúa leyéndolo, ponemos en su conocimiento que está cometiendo un acto ilícito en virtud de la legislación vigente en la actualidad, por lo que deberá dejarlo de leer automáticamente. Detlef Bracker no es responsable de su integridad, exactitud, o de lo que acontezca cuando el correo electrónico circula por las infraestructuras de comunicaciones electrónicas públicas. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. El correo electrónico vía Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción, por lo que Detlef Bracker no asume ninguna responsabilidad que pueda derivarse de este hecho. No imprima este correo si no es necesario. Ahorrar papel protege el medio ambiente.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel