LINUX.ORG.RU

Сообщения rockitin

 

Подвисает Pfsense 2.2.1 в составе Proxmox 3.1.2

Форум — Security

Всем, привет!

Конфигурация системы:

Pfsense 2.2.1-RELEASE (i386) 
built on Fri Mar 13 08:16:53 CDT 2015 
FreeBSD 10.1-RELEASE-p6
Proxmox 3.2-1 1933730b

2 Сетевых интерфейса: WAN и LAN, dhcp-сервер ISP раздаёт IP с привязкой к MAC-адресу WAN.

Конфигурация сет интерфейсов в Proxmox (/etc/network/interfaces):

# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet manual
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet static
    address  192.168.0.7
    netmask  255.255.255.0
    # gateway  192.168.0.1
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0

Конфигурация сет интерфейсов в Pfsense (ifconfig -a):

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether 9e:32:a0:9c:7c:91
    inet6 fe80::9c32:a0ff:fe9c:7c91%em0 prefixlen 64 scopeid 0x1 
    inet 188.113.156.235 netmask 0xffffff00 broadcast 188.113.156.255 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
em1: flags=88843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
    options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether 0e:0e:5f:44:9c:a1
    inet6 fe80::c0e:5fff:fe44:9ca1%em1 prefixlen 64 scopeid 0x2 
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33172
pfsync0: flags=0<> metric 0 mtu 1500
    syncpeer: 224.0.0.240 maxupd: 128 defer: on
    syncok: 1
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd5: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd6: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd7: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Время от времени внутренний локальный сетевой интерфейс отваливается без явных ошибок в логах, при всём при это внешний сетевой интерфейс функционирует, как должное. Предполагаю, проблема в настройке правил файерволла либо в настройке сетевых интерфейсов, последние настраивал по ссылке http://forum.proxmox.com/threads/2020-Proxmox-Pfsense-working-setup-solved-2-NIC.

Привожу правила файервола (pfctl -sr):

@0(0) scrub on em0 all fragment reassemble
  [ Evaluations: 21543761  Packets: 11208135  Bytes: 4133611838  States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366888296]
@1(0) scrub on em1 all fragment reassemble
  [ Evaluations: 10347084  Packets: 10302007  Bytes: 5002554367  States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153344]
@0(0) anchor "relayd/*" all
  [ Evaluations: 164231    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449392]
@1(0) anchor "openvpn/*" all
  [ Evaluations: 164232    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449416]
@2(0) anchor "ipsec/*" all
  [ Evaluations: 164229    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449440]
@3(1000000101) block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
  [ Evaluations: 451398    Packets: 6         Bytes: 408         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449464]
@4(1000000102) block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
  [ Evaluations: 243167    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449488]
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 243167    Packets: 534       Bytes: 90920       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449512]
@6(1000000104) block drop out log inet all label "Default deny rule IPv4"
  [ Evaluations: 451221    Packets: 82        Bytes: 4200        States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449536]
@7(1000000105) block drop in log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 451403    Packets: 179       Bytes: 12888       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449560]
@8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 208194    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449584]
@9(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449608]
@10(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449632]
@11(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449656]
@12(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 194       Packets: 3         Bytes: 216         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449680]
@13(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449704]
@14(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449728]
@15(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449752]
@16(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449776]
@17(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449800]
@18(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3362874040]
@19(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449816]
@20(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449840]
@21(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449864]
@22(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449888]
@23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449912]
@24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449936]
@25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449960]
@26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449984]
@27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450008]
@28(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450032]
@29(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450056]
@30(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450080]
@31(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450104]
@32(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450128]
@33(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450152]
@34(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453248]
@35(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453272]
@36(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453296]
@37(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453320]
@38(1000000113) block drop log quick inet proto tcp from any port = 0 to any
  [ Evaluations: 451391    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453344]
@39(1000000113) block drop log quick inet proto udp from any port = 0 to any
  [ Evaluations: 374697    Packets: 1         Bytes: 131         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453368]
@40(1000000114) block drop log quick inet proto tcp from any to any port = 0
  [ Evaluations: 451225    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453392]
@41(1000000114) block drop log quick inet proto udp from any to any port = 0
  [ Evaluations: 374583    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453416]
@42(1000000115) block drop log quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 451361    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453440]
@43(1000000115) block drop log quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 287187    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453464]
@44(1000000116) block drop log quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453488]
@45(1000000116) block drop log quick inet6 proto udp from any to any port = 0
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453512]
@46(1000000117) block drop log quick from <snort2c:0> to any label "Block snort2c hosts"
  [ Evaluations: 451381    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453536]
@47(1000000118) block drop log quick from any to <snort2c:0> label "Block snort2c hosts"
  [ Evaluations: 451403    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453560]
@48(1000000301) block drop in log quick proto tcp from <sshlockout:0> to (self:7) port = 8122 label "sshlockout"
  [ Evaluations: 451411    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453584]
@49(1000000351) block drop in log quick proto tcp from <webConfiguratorlockout:0> to (self:7) port = https label "webConfiguratorlockout"
  [ Evaluations: 104738    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028592]
@50(1000000400) block drop in log quick from <virusprot:0> to any label "virusprot overload table"
  [ Evaluations: 243819    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028616]
@51(1000001570) block drop in log on ! em0 inet from 188.113.156.0/24 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453608]
@52(1000001570) block drop in log inet from 188.113.156.235 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453632]
@53(1000001570) block drop in log on em0 inet6 from fe80::9c32:a0ff:fe9c:7c91 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453680]
@54(1000001591) pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 12232     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453704]
@55(1000001592) pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 216710    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453728]
@56(1000002620) block drop in log on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 451424    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453752]
@57(1000002620) block drop in log inet from 192.168.0.1 to any
  [ Evaluations: 376816    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453800]
@58(1000002620) block drop in log on em1 inet6 from fe80::c0e:5fff:fe44:9ca1 to any
  [ Evaluations: 375955    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453824]
@59(1000002641) pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 228856    Packets: 488       Bytes: 160560      States: 3     ]
  [ Inserted: pid 8272 State Creations: 3358028544]
@60(1000002642) pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 90        Packets: 188       Bytes: 65723       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028568]
@61(1000002643) pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 336192    Packets: 344       Bytes: 112866      States: 2     ]
  [ Inserted: pid 8272 State Creations: 3358023680]
@62(1000004761) pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 450678    Packets: 29594     Bytes: 12089497    States: 12    ]
  [ Inserted: pid 8272 State Creations: 3352470504]
@63(1000004762) pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 4528      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470480]
@64(1000004763) pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 4528      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470456]
@65(1000004764) pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 2264      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470432]
@66(1000004765) pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 450689    Packets: 109305    Bytes: 40329647    States: 24    ]
  [ Inserted: pid 8272 State Creations: 3352470408]
@67(1000004766) pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 207735    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470384]
@68(1000004861) pass out route-to (em0 188.113.156.1) inet from 188.113.156.235 to ! 188.113.156.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 207757    Packets: 11832834  Bytes: 8639875635  States: 755   ]
  [ Inserted: pid 8272 State Creations: 3352470360]
@69(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = https flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 450687    Packets: 44846     Bytes: 16446027    States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470336]
@70(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = http flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 287654    Packets: 3307      Bytes: 1929023     States: 1     ]
  [ Inserted: pid 8272 State Creations: 3352470312]
@71(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = 8122 flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 287647    Packets: 4835      Bytes: 2271299     States: 1     ]
  [ Inserted: pid 8272 State Creations: 3352470288]
@72(1000005181) pass in on em0 inet proto tcp from any to 188.113.156.235 port = pptp flags S/SA modulate state label "allow pptpd 188.113.156.235"
  [ Evaluations: 318817    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3364127584]
@73(1000005182) pass in on em0 proto gre all keep state label "allow gre pptpd"
  [ Evaluations: 140971    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366888152]
@74(0) anchor "userrules/*" all
  [ Evaluations: 163451    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887736]
@75(1430369056) pass on em0 inet proto tcp from any to any port = 8006 flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451775    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358266272]
@76(1430369056) pass on em1 inet proto tcp from any to any port = 8006 flags S/SA keep state label "USER_RULE"
  [ Evaluations: 371657    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887592]
@77(0) pass in quick on openvpn all flags S/SA keep state label "USER_RULE: OpenVPN pfsense_openVPN_server wizard"
  [ Evaluations: 163466    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366884280]
@78(1430891835) pass in quick on pptp inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451818    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366884304]
@79(1427951034) pass in quick on em0 reply-to (em0 188.113.156.1) inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451803    Packets: 66462     Bytes: 23026288    States: 89    ]
  [ Inserted: pid 8272 State Creations: 3366884328]
@80(1431672987) pass in quick on em0 reply-to (em0 188.113.156.1) inet from 89.188.243.66 to 188.113.156.235 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
  [ Evaluations: 46        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887424]
@81(0) pass in quick on em0 reply-to (em0 188.113.156.1) inet proto udp from any to 188.113.156.235 port = 8123 keep state label "USER_RULE: OpenVPN pfsense_openVPN_server wizard"
  [ Evaluations: 30        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887448]
@82(1427954019) pass in quick on em1 inet proto tcp from <Yes:30> to 188.113.156.0/24 flags S/SA keep state label "USER_RULE: Group3 - speed unlimited"
  [ Evaluations: 235259    Packets: 7625      Bytes: 1935773     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887472]
@83(1427954019) pass in quick on em1 inet proto udp from <Yes:30> to 188.113.156.0/24 keep state label "USER_RULE: Group3 - speed unlimited"
  [ Evaluations: 196737    Packets: 7625      Bytes: 1934341     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887520]
@84(1429490599) block drop in quick on em1 inet from <NO:38> to 192.168.0.1 label "USER_RULE: Group2 - speed 0mb"
  [ Evaluations: 227162    Packets: 37871     Bytes: 2566598     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887544]
@85(1429661390) pass in quick on em1 inet from <NO:38> to any flags S/SA keep state label "USER_RULE" dnpipe(4, 3)
  [ Evaluations: 9383      Packets: 40        Bytes: 3043        States: 18    ]
  [ Inserted: pid 8272 State Creations: 3366887616]
@86(1429844695) pass in quick on em1 inet from <1MB:34> to ! (self:3) flags S/SA keep state label "USER_RULE: 1 mb" dnpipe(1, 2)
  [ Evaluations: 179908    Packets: 3049301   Bytes: 2535177197  States: 389   ]
  [ Inserted: pid 8272 State Creations: 3366887640]
@87(1434495594) pass in quick on em1 inet proto tcp from <1MB:34> to ! (self:3) flags S/SA keep state label "USER_RULE: 1mb" dnpipe(1, 2)
  [ Evaluations: 45        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887664]
@88(1434495594) pass in quick on em1 inet proto udp from <1MB:34> to ! (self:3) keep state label "USER_RULE: 1mb" dnpipe(1, 2)
  [ Evaluations: 45        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887688]
@89(1429845913) pass in quick on em1 inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 140445    Packets: 7383347   Bytes: 5935825548  States: 499   ]
  [ Inserted: pid 8272 State Creations: 3366887712]
@90(100000101) pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
  [ Evaluations: 488       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887760]
@91(0) anchor "tftp-proxy/*" all
  [ Evaluations: 76302     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887784]
@92(0) anchor "miniupnpd" all
  [ Evaluations: 76307     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887808]
@93(0) pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 76303     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887832]
@94(0) pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 98        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887856]
@95(0) pass in quick on pptp inet proto tcp from any to ! 127.0.0.1 port = 3128 flags S/SA keep state
  [ Evaluations: 75399     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887880]

И правила NAT:

@0(0) no nat proto carp all
  [ Evaluations: 75638     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153368]
@1(0) nat-anchor "natearly/*" all
  [ Evaluations: 75642     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153416]
@2(0) nat-anchor "natrules/*" all
  [ Evaluations: 75651     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363353528]
@3(0) nat on em0 inet from <tonatsubnets:7> to any port = isakmp -> 188.113.156.235 static-port
  [ Evaluations: 75644     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363353552]
@4(0) nat on em0 inet from <tonatsubnets:7> to any -> 188.113.156.235 port 1024:65535
  [ Evaluations: 28544     Packets: 905784    Bytes: 589093960   States: 479   ]
  [ Inserted: pid 8272 State Creations: 3363353576]
@0(0) no rdr proto carp all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363397632]
@1(0) rdr-anchor "relayd/*" all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363397656]
@2(0) rdr-anchor "tftp-proxy/*" all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449272]
@3(0) rdr on em0 inet proto tcp from any to 188.113.156.235 port = 8006 -> 192.168.0.7
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449296]
@4(0) rdr on em1 inet proto tcp from any to ! (em1:1) port = http -> 127.0.0.1 port 3128
  [ Evaluations: 84111     Packets: 2954780   Bytes: 2644077049  States: 237   ]
  [ Inserted: pid 8272 State Creations: 3366449320]
@5(0) rdr on pptp inet proto tcp from any to ! 127.0.0.1 port = http -> 127.0.0.1 port 3128
  [ Evaluations: 3792      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449344]
@6(0) rdr-anchor "miniupnpd" all
  [ Evaluations: 70325     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449368]

В чем может быть проблема? Срочно нужны хоть какие-то осмысленные советы, куда копать, так как уже давно длится проблема, диагностика и танцы с бубном уже не помогают: сервер может некорректно функционировать и после перезагрузки, а может заработать как положено. :)

 , , , ,

rockitin
()

Fedora 21 rsyslogd: activation of module imuxsock failed

Форум — Security

Здравствуйте, други! =)

Настраивал на локальной машинке rsyslog сервер для принятия логов с pfsense и столкнулся с проблемой: rsyslog конфликтует с systemd, - не может подключиться к сокету по адресу /dev/log.

Фрагмент конфигурации rsyslog.conf:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (logger command)
# $ModLoad immark
$ModLoad imtcp
$ModLoad imklog

$InputTCPServerRun 1528

Порт 1528 открыт в iptables и прописан в SELinux чз semanage. При старте выдаёт следующее (/var/log/messages):

Jun 19 11:08:19 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.4.10" x-pid="5674" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jun 19 11:08:19 localhost rsyslogd: [origin software="rsyslogd" swVersion="7.4.10" x-pid="5710" x-info="http://www.rsyslog.com"] start
Jun 19 11:08:19 localhost rsyslogd: cannot create '/dev/log': Address already in use
Jun 19 11:08:19 localhost rsyslogd: imuxsock does not run because we could not aquire any socket 
Jun 19 11:08:19 localhost rsyslogd-3000: activation of module imuxsock failed

Прощупывая /dev/log, ll /dev/log выдаёт

lrwxrwxrwx. 1 root root 28 Jun 19  2015 /dev/log -> /run/systemd/journal/dev-log

Где /run/systemd/journal/dev-log занята следующими процессами lsof /run/systemd/journal/dev-log :

lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete.

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
systemd     1 root   34u  unix 0xffff88003685dc00      0t0 2268 /run/systemd/journal/dev-log
systemd-j 493 root    5u  unix 0xffff88003685dc00      0t0 2268 /run/systemd/journal/dev-log

Кто с таким сталкивался и как это лечить? Перерыл гугл: ничего толкового не нашёл.

Система:

LSB Version:	:core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:	Fedora
Description:	Fedora release 21 (Twenty One)
Release:	21
Codename:	TwentyOne

Linux localhost.localdomain 4.0.4-202.fc21.x86_64 #1 SMP Wed May 27 22:28:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

 , ,

rockitin
()

RSS подписка на новые темы