Some Virtual Servers hidden from listing – how to delete?

Home Page Forums Network Management ZeroShell Some Virtual Servers hidden from listing – how to delete?

This topic contains 15 replies, has 0 voices, and was last updated by  jeffrhysjones 8 years, 10 months ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #42202

    (Edited title to reflect update)

    Hi all,

    Been a while since my last post. In a bit of a pickle here…

    We have now added over 60 virtual servers in the virtual server forwarders in one of our ZS firewalls. It seems there is a limit to the number of VS’s that list out on this page – so you can only remove up to 60 VS that show on the page. After you add your 60th VS, any server that you add – you can’t delete – because it doesn’t show up. However, if you go to ‘view’ virtual server config – you can see that the server you added is in there. You just can’t remove it.

    Is there any safe way I can either make this list say 100 – or manually go in and delete this VS?

    Many thanks,

    J

    #49614

    Just thought I would go through and remove any Virtual Servers from the list in the hope that some others would then appear as I deleted them.

    They didn’t πŸ™

    So I now have a list of 50 showing in the ‘list virtual servers’ page – but I have more that I have added to the configuration – just they are not showing up. There are some duplicates in there as well – as in the past I have added servers – not seen them appear in the list – and added them again!

    All the time, Virtual Servers were being added, just not displayed.

    How can I clean this up!?

    Help!

    πŸ˜₯

    J

    #49615

    ppalias
    Member

    You could clean them from the shell command line.
    First run a

    iptables -t nat -L -v

    find the line you want to delete and then write

    iptables -t nat -D PREROOTING #

    where # is the line number.

    #49616

    zevlag
    Member

    Jef,
    If you SSH into the box, access the shell, then:

    cd /Database/var/register/system/net/router/PAT
    grep . */*

    These two commands will show you all the rules that are established. You can delete the directory manually here, and that will remove it from the interface. Then you can follow ppalias’ recommendation to actually disable the rule, or just restart the box.

    I don’t see anything obvious that would limit the number of displayed virtual servers. While you are cd’d to the directory above, if you’ll give me the output of

    ls | sort

    and of the grep then I can do some debuging for you.

    #49617

    @ zevlag – thanks for this! I was a bit desperate to fix this so I deleted the offending line from PREROUTING in iptables as ppalias (thanks also!) suggested.

    Not sure if doing this will retain settings after rebooting the FW.

    Actually – now I’m starting to worry that – as these lines do not show in the list of Virtual Servers, but only in the iptables – will they still exist after a box reboot?

    Doing an ‘ls’ in that directory gives me:

    root@zeroshell PAT> ls
    03 09 14 19 33 41 44 59 62 69 73 81 84 87 90 93 97
    04 100 15 22 38 42 55 60 63 70 74 82 85 88 91 94 98
    07 13 16 23 39 43 58 61 64 71 75 83 86 89 92 96 99

    The 100 directory seems to be the latest rule that I added.

    Now here is what is interesting. When I add another rule via the virtual server page – this directory is 03, and what was on 03 seems to get deleted.

    So what I am saying is that I have folders missing from this PAT folder seemingly being deleted by ZS as I have been adding new Virtual Servers. There are 51 PAT VS folders – but there are 74 NAT rules showing in PREROUTING.

    If I reboot this box, will I end up with only 51 NAT rules?

    Am I sitting on a timebomb?

    This is seriously scary stuff…

    J

    #49618

    ppalias
    Member

    If you remove it from /Database/…. most likely it won’t exist in next boot. Anyway you can always add a preboot script to change the way ZS boots or a post boot to make some changes after ZS is booted.

    #49619

    Well that’s the point – I’m not removing these virtual server rules from /Database – ZeroShell is removing them for me as I add new rules!

    I need to do more testing on this – but I seriously can’t have a firewall that appears to ‘ramdomly’ remove rules as I add new ones.

    That’s just crazy…

    J

    #49620

    OK I have done more testing – and YIKES – all my fears have been confirmed. More than 100 virtual server and you are in trouble.

    1) THE SETUP:

    Clean Zeroshell box – 1.0 beta 11

    2) Type in 100 Virtual Servers (took a while…)

    I add 100 virtual servers to the box. These go in fine. 100 folders showing in /Database.

    3) However – after you add in VS 101, this rule does NOT show up in the list of virtual server entries.

    4) However, entries after 100 that you add DO get added to iptables rules – so you THINK it’s all going to be fine

    5) However on the next reboot – UH-OH – all the rules that are not listed, Gone. Wiped!

    6) Now, if you delete 5 of the 100 rules – and then you add one more – this is OK – this rule now shows up.

    7) The next thing is a bit more confusing. If you then add an additional rule, this rule now over writes that rule you just put in.

    8) Just like before – it all works, so you think you are OK. But after the next reboot – that last rule – it won’t be there.

    So basically – in short after you add your 100th VS – horrible things happen to your ZS box.

    Beware!

    J

    #49621

    To get me out of a hole on this one – can anyone help me with some grep scripting (or whatever) which might be able to help me compare rules saved in the Virtual Server database, with those running in iptables. Basically, to show me the missing DB rules.

    Then I could add the currently non-persistant rules to the NAT startup script.

    Cheers,

    Jeff

    #49622

    zevlag
    Member

    Jeff,
    I’d be glad to give it an attempt for you. Just email me the output of:

    cd /Database/var/register/system/net/router/PAT
    grep . */*

    or just send me that directory tar-balled, or a backup of the config downloaded from the interface. (Setup->Profiles->[put a tick in the radio button for the proper _DB]->Backup Without Logs) – Actually, a backup of the config would be simplest, but whatever works for you.
    and

    iptables -t nat -L -v

    Also, just for the heck of it, I’ll look into the UI scripts and see what might be the cause of that.

    josh – a – t – zevlag.com

    #49623

    zevlag
    Member

    Ok, I have a fix and a solution.

    First the fix, I’ve created fix-vserver-rules-more-than-100-b11.0.1.patch, all it does is add ‘sort -n’ to the script that lists, and adds vserver rules. Works on beta11, probably will apply and work on beta12.

    Now the solution for Jeff:This script does the grep, and the iptables, parses them, then shows the difference.
    Lines beginning with < aren't in iptables.
    Lines beginning with > aren’t in the UI.

    No warranty on this, but it should work. Please check the results before trusting, as I don’t have near as complete a vserver list as you do.

    #49624

    zevlag
    Member

    Jeff, did this work?

    #49625

    Hi Josh,

    I was just wondering about this today! I didn’t get an email notification from the forum so just assumed you were a bit busy!

    I’m working away from the office until Friday – I will get on to this then and let you know OK?

    Thanks again for your help on this!

    Lifesaver!

    Jeff

    #49626

    Hi Josh,

    Can U believe it – it’s taken me all this time to getting round to patching this ZS box!?!

    I came back to this thread today and downloaded the patch file you created (thanks again!).

    However – now I’m sort of stuck as you didn’t tell me how to actually patch the box.

    I have tried uploading the .patch file you created to /Database and running:

    patch -p0 < /Database/[nameofpatchfile].patch but it just errors out.

    I’ve also had a go at manually editing the scripts – which does work – however when you reboot the box, the issue returns.

    Any help – much appreciated.

    Cheers,

    J

    #49627

    ppalias
    Member

    What is the error output of the patch? Most likely you should apply it on a specific directory. Also adding it in PRE-BOOT scripts will fix the “not working after reboot” issue.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.