Traffic blocked after autoupdate
Posted: 16 Jun 2015, 04:15
I have a CentOS 6.6 server, running OpenVZ with two nodes. The nodes are typical web servers, and my intention is to have inbound and outbound HTTP, HTTPS, and SSH open. To make this work, I've created a file under /etc/csf/csfpre.sh:
All was going fine, until last night where all traffic to my nodes got blocked.
So you can see it's doing its thing all week, then at 2:07:07 today runs an update, and at the same time my sites become unavailable. I wake up to a slew of e-mails, run service iptables stop at 09:12:12, and then things are back up.
This particular update doesn't seem to have made any changes of consequence, and I'm crossing my fingers that it doesn't happen again tonight, but there seems to be something wrong with either my config or with how the update process works. Not knowing the internals of CSF, I'm wondering if maybe on update, my csfpre.sh is not taken into account. (csfpre.sh was not deleted or modified by the update, though.)
Code: Select all
iptables -A INPUT -i venet0 -j ACCEPT
iptables -A OUTPUT -o venet0 -j ACCEPT
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0Code: Select all
[root@myserver ~]# grep csf /var/log/lfd.log-* /var/log/lfd.log | grep -v "Failed SSH"
/var/log/lfd.log-20150614:Jun 8 00:00:02 myserver lfd[836493]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 9 00:00:01 myserver lfd[837822]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 10 00:00:02 myserver lfd[885092]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 11 00:00:01 myserver lfd[857691]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 12 00:00:02 myserver lfd[811224]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 13 00:00:01 myserver lfd[840898]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log-20150614:Jun 14 00:00:02 myserver lfd[896332]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log:Jun 15 00:00:01 myserver lfd[912876]: daemon started on myserver.example - csf v7.69 (generic)
/var/log/lfd.log:Jun 15 02:07:07 myserver lfd[999150]: daemon started on myserver.example - csf v7.70 (generic)
/var/log/lfd.log:Jun 15 09:12:12 myserver lfd[999150]: iptables appears to have been flushed - running *csf startup*...
/var/log/lfd.log:Jun 15 09:12:13 myserver lfd[999150]: csf startup completedThis particular update doesn't seem to have made any changes of consequence, and I'm crossing my fingers that it doesn't happen again tonight, but there seems to be something wrong with either my config or with how the update process works. Not knowing the internals of CSF, I'm wondering if maybe on update, my csfpre.sh is not taken into account. (csfpre.sh was not deleted or modified by the update, though.)