Page 1 of 2
CSF won't start with new version
Posted: 18 Feb 2013, 17:54
by sparek
I can't get CSF 5.76 to start on a VPS.
I note that running /etc/csf/csftest.pl gives the output:
Code: Select all
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 18446744073709551615] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
However, SMTP_BLOCK is set to 0 and CONNLIMIT is empty (should it be 0)?
Starting CSF gives the error:
Code: Select all
iptables: Unknown error 18446744073709551615
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Error: iptables command [/sbin/iptables -v -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT] failed, at line 1638
Re: CSF won't start with new version
Posted: 18 Feb 2013, 18:08
by ForumAdmin
sparek wrote:I can't get CSF 5.76 to start on a VPS.
Starting CSF gives the error:
Code: Select all
iptables: Unknown error 18446744073709551615
ACCEPT all opt -- in eth0 out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Error: iptables command [/sbin/iptables -v -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT] failed, at line 1638
Looks like you have a kernel/iptables issue on your VPS as the state module which we switched csf from to the conntrack module was deprecated some time ago. You could try checking with your VPS provider that they have indeed included the iptables conntrack module, but that error means that they (at the least) need to upgrade the kernel they are using to one that hasn't got a broken conntrack module.
In the meantime, you can work around the problem with:
Code: Select all
sed -i 's/-m conntrack --ctstate/-m state --state/g' /etc/csf/csf.pl
Re: CSF won't start with new version
Posted: 18 Feb 2013, 18:14
by ForumAdmin
I'll look at have an exception for the useless Virtuozzo kernels (their iptables implementation is dire) to use the old state module and release a new version shortly.
Re: CSF won't start with new version
Posted: 18 Feb 2013, 18:29
by ForumAdmin
I have released v5.77 of csf which should hopefully resolve this:
http://blog.configserver.com/index.php?itemid=718
Re: CSF won't start with new version
Posted: 18 Feb 2013, 19:05
by JohnS
If your kernel is up to date, make sure the ipt_conntrack module is enabled. I thought it was but only ip_conntrack was enabled.
Re: CSF won't start with new version
Posted: 18 Feb 2013, 19:05
by broken
Good man ForumAdmin
Re: CSF won't start with new version
Posted: 18 Feb 2013, 19:56
by Michaelg
Hi, I can't seem to upgrade to the latest, still getting an error...
You have an unresolved error when starting csf. You need to restart csf successfully to remove this warning
and unable to restart lfd...
Error: Error processing command for line [1114] (10 times): [iptables: Unknown error 4294967295], at line 1114
Any suggestions is much appreciated.
Thanks
CENTOS 5.9 i686 xenpv
WHM 11.34.1 (build 7)
Re: CSF won't start with new version
Posted: 18 Feb 2013, 20:20
by ForumAdmin
Re: CSF won't start with new version
Posted: 18 Feb 2013, 20:27
by Gavo
Thanks this resolved the error for me (for now)
I have a default OVH kernel that doesn't support connlimit
it looks like if you roll out this update most of there dedicated servers wont support CSF with there default custom kernels, I read on there French forum you have to re-compile to enable the module.
I have 3 ovh boxes and 2 don't support connlimit
Re: CSF won't start with new version
Posted: 18 Feb 2013, 20:46
by alexNL
You can only upgrade when you have the firewall enabled, but if you are you cannot connect to the update server. If you got stuck (like me) on either 5.76 or 5.77 here is a solution:
Add this line to firewall allow IPs:
85.13.195.235 # Configserver update IP for the .com site
Then wait the timeout it takes to fetch the update, and get it