Daniel Luiz da Silva wrote:
Nick Howitt wrote:
I've edited your posts to put the data between code tags as I asked (for a reason - it makes the listings easier to read)
The only thing that really stands out the the Netify rules seem to load over and over again and this must be wrong. Hopefully Dave will see this and post back.
Please can you post the contents of /etc/clearos/firewall.d/10-netify-fwa?
I don't have this archive
[root@gateway firewall.d]# ls
10-netify-fwa 10-ntp 90-attack-detector custom local types
[root@gateway firewall.d]#
Sorry here is
#!/bin/bash
# Netify FWA Application Filter Scriptlet
NFA_ACTION=DROP
NFA_CHAIN=FORWARD
NFA_EXEC="/usr/clearos/sandbox/usr/bin/php -q /usr/share/netify-fwa/netify-fwa.php"
NFA_PID_FILE=/run/netify-fwa/netify-fwa.pid
NFA_RELOAD_LOCK=/run/netify-fwa/netify-fwa.reload
NFA_RELOAD_TIMEOUT=5
NFA_CONF_FILE=/etc/netify-fwa.conf
NFA_SED_FILE=/usr/clearos/apps/netify_fwa/deploy/netify-fwa.sed
NFA_MARK_BASE=$($NFA_EXEC -m | grep NFA_MARK_BASE | sed -e 's/.*NFA_MARK_BASE.*=[[:space:]]*//g')
NFA_BASE_MASK=$($NFA_EXEC -m | grep NFA_BASE_MASK | sed -e 's/.*NFA_BASE_MASK.*=[[:space:]]*//g')
if [ ! -f $NFA_CONF_FILE ]; then
fw_logger warning "Netify FWA config not found, not creating hook rules."
elif [ ! -f $NFA_PID_FILE ]; then
fw_logger warning "Netify FWA is not running, not creating hook rules."
elif [ ! -d "/proc/$(cat $NFA_PID_FILE)" ]; then
fw_logger warning "Netify FWA is not running, not creating hook rules."
else
touch $NFA_RELOAD_LOCK
kill -USR1 $(cat $NFA_PID_FILE)
while [ $NFA_RELOAD_TIMEOUT -gt 0 ]; do
[ -f $NFA_RELOAD_LOCK ] || break
sleep 1
NFA_RELOAD_TIMEOUT=$[ $NFA_RELOAD_TIMEOUT - 1 ]
done
if [ -f $NFA_RELOAD_LOCK ]; then
fw_logger warning "Netify FWA took too long to reload."
else
egrep '^rule\[.*,(1|true)$' $NFA_CONF_FILE | sed -f $NFA_SED_FILE | sort | uniq |\
while read NFA_TABLE NFA_MARK_CHAIN NFA_ID; do
if ! $IPTABLES -t $NFA_TABLE -L ${NFA_MARK_CHAIN}_INGRESS 2>/dev/null; then
$IPTABLES -t $NFA_TABLE -N ${NFA_MARK_CHAIN}_INGRESS
fi
if ! $IPTABLES -t $NFA_TABLE -L ${NFA_MARK_CHAIN}_EGRESS 2>/dev/null; then
$IPTABLES -t $NFA_TABLE -N ${NFA_MARK_CHAIN}_EGRESS
fi
if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -j ${NFA_MARK_CHAIN}_INGRESS 2>/dev/null; then
$IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -j ${NFA_MARK_CHAIN}_INGRESS
fi
if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -j ${NFA_MARK_CHAIN}_EGRESS 2>/dev/null; then
$IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -j ${NFA_MARK_CHAIN}_EGRESS
fi
done
egrep '^rule\[.*,(1|true)$' $NFA_CONF_FILE | sed -f $NFA_SED_FILE | sort | uniq |\
while read NFA_TABLE NFA_MARK_CHAIN NFA_ID; do
if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -m mark --mark $NFA_MARK_BASE/$NFA_BASE_MASK -j $NFA_ACTION 2>/dev/null; then
$IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -m mark --mark $NFA_MARK_BASE/$NFA_BASE_MASK -j $NFA_ACTION
fi
done
fi
fi