February 9, 2010 at 4:11 pm #42202
(Edited title to reflect update)
Been a while since my last post. In a bit of a pickle here…
We have now added over 60 virtual servers in the virtual server forwarders in one of our ZS firewalls. It seems there is a limit to the number of VS’s that list out on this page – so you can only remove up to 60 VS that show on the page. After you add your 60th VS, any server that you add – you can’t delete – because it doesn’t show up. However, if you go to ‘view’ virtual server config – you can see that the server you added is in there. You just can’t remove it.
Is there any safe way I can either make this list say 100 – or manually go in and delete this VS?
JFebruary 9, 2010 at 5:04 pm #49614
Just thought I would go through and remove any Virtual Servers from the list in the hope that some others would then appear as I deleted them.
They didn’t 🙁
So I now have a list of 50 showing in the ‘list virtual servers’ page – but I have more that I have added to the configuration – just they are not showing up. There are some duplicates in there as well – as in the past I have added servers – not seen them appear in the list – and added them again!
All the time, Virtual Servers were being added, just not displayed.
How can I clean this up!?
JFebruary 10, 2010 at 9:47 am #49615
You could clean them from the shell command line.
First run a
iptables -t nat -L -v
find the line you want to delete and then write
iptables -t nat -D PREROOTING #
where # is the line number.February 10, 2010 at 5:00 pm #49616
If you SSH into the box, access the shell, then:
grep . */*
These two commands will show you all the rules that are established. You can delete the directory manually here, and that will remove it from the interface. Then you can follow ppalias’ recommendation to actually disable the rule, or just restart the box.
I don’t see anything obvious that would limit the number of displayed virtual servers. While you are cd’d to the directory above, if you’ll give me the output of
ls | sort
and of the grep then I can do some debuging for you.February 10, 2010 at 6:39 pm #49617
@ zevlag – thanks for this! I was a bit desperate to fix this so I deleted the offending line from PREROUTING in iptables as ppalias (thanks also!) suggested.
Not sure if doing this will retain settings after rebooting the FW.
Actually – now I’m starting to worry that – as these lines do not show in the list of Virtual Servers, but only in the iptables – will they still exist after a box reboot?
Doing an ‘ls’ in that directory gives me:
root@zeroshell PAT> ls
03 09 14 19 33 41 44 59 62 69 73 81 84 87 90 93 97
04 100 15 22 38 42 55 60 63 70 74 82 85 88 91 94 98
07 13 16 23 39 43 58 61 64 71 75 83 86 89 92 96 99
The 100 directory seems to be the latest rule that I added.
Now here is what is interesting. When I add another rule via the virtual server page – this directory is 03, and what was on 03 seems to get deleted.
So what I am saying is that I have folders missing from this PAT folder seemingly being deleted by ZS as I have been adding new Virtual Servers. There are 51 PAT VS folders – but there are 74 NAT rules showing in PREROUTING.
If I reboot this box, will I end up with only 51 NAT rules?
Am I sitting on a timebomb?
This is seriously scary stuff…
JFebruary 10, 2010 at 9:34 pm #49618
If you remove it from /Database/…. most likely it won’t exist in next boot. Anyway you can always add a preboot script to change the way ZS boots or a post boot to make some changes after ZS is booted.February 10, 2010 at 10:05 pm #49619
Well that’s the point – I’m not removing these virtual server rules from /Database – ZeroShell is removing them for me as I add new rules!
I need to do more testing on this – but I seriously can’t have a firewall that appears to ‘ramdomly’ remove rules as I add new ones.
That’s just crazy…
JFebruary 10, 2010 at 10:54 pm #49620
OK I have done more testing – and YIKES – all my fears have been confirmed. More than 100 virtual server and you are in trouble.
1) THE SETUP:
Clean Zeroshell box – 1.0 beta 11
2) Type in 100 Virtual Servers (took a while…)
I add 100 virtual servers to the box. These go in fine. 100 folders showing in /Database.
3) However – after you add in VS 101, this rule does NOT show up in the list of virtual server entries.
4) However, entries after 100 that you add DO get added to iptables rules – so you THINK it’s all going to be fine
5) However on the next reboot – UH-OH – all the rules that are not listed, Gone. Wiped!
6) Now, if you delete 5 of the 100 rules – and then you add one more – this is OK – this rule now shows up.
7) The next thing is a bit more confusing. If you then add an additional rule, this rule now over writes that rule you just put in.
8) Just like before – it all works, so you think you are OK. But after the next reboot – that last rule – it won’t be there.
So basically – in short after you add your 100th VS – horrible things happen to your ZS box.
JFebruary 11, 2010 at 10:17 am #49621
To get me out of a hole on this one – can anyone help me with some grep scripting (or whatever) which might be able to help me compare rules saved in the Virtual Server database, with those running in iptables. Basically, to show me the missing DB rules.
Then I could add the currently non-persistant rules to the NAT startup script.
JeffFebruary 11, 2010 at 5:23 pm #49622
I’d be glad to give it an attempt for you. Just email me the output of:
grep . */*
or just send me that directory tar-balled, or a backup of the config downloaded from the interface. (Setup->Profiles->[put a tick in the radio button for the proper _DB]->Backup Without Logs) – Actually, a backup of the config would be simplest, but whatever works for you.
iptables -t nat -L -v
Also, just for the heck of it, I’ll look into the UI scripts and see what might be the cause of that.
josh – a – t – zevlag.comFebruary 12, 2010 at 6:51 pm #49623
Ok, I have a fix and a solution.
First the fix, I’ve created fix-vserver-rules-more-than-100-b11.0.1.patch, all it does is add ‘sort -n’ to the script that lists, and adds vserver rules. Works on beta11, probably will apply and work on beta12.
Now the solution for Jeff:This script does the grep, and the iptables, parses them, then shows the difference.
Lines beginning with < aren't in iptables.
Lines beginning with > aren’t in the UI.
No warranty on this, but it should work. Please check the results before trusting, as I don’t have near as complete a vserver list as you do.February 16, 2010 at 6:24 pm #49624
Jeff, did this work?February 16, 2010 at 10:38 pm #49625
I was just wondering about this today! I didn’t get an email notification from the forum so just assumed you were a bit busy!
I’m working away from the office until Friday – I will get on to this then and let you know OK?
Thanks again for your help on this!
JeffMay 23, 2010 at 2:44 pm #49626
Can U believe it – it’s taken me all this time to getting round to patching this ZS box!?!
I came back to this thread today and downloaded the patch file you created (thanks again!).
However – now I’m sort of stuck as you didn’t tell me how to actually patch the box.
I have tried uploading the .patch file you created to /Database and running:
patch -p0 < /Database/[nameofpatchfile].patch but it just errors out.
I’ve also had a go at manually editing the scripts – which does work – however when you reboot the box, the issue returns.
Any help – much appreciated.
JMay 25, 2010 at 7:00 am #49627
What is the error output of the patch? Most likely you should apply it on a specific directory. Also adding it in PRE-BOOT scripts will fix the “not working after reboot” issue.
You must be logged in to reply to this topic.