Reco,
I moved the script from /etc/init.d to /etc/network directory and
changed the shebang line from /bin/bash to /bin/sh. /bin/sh on my
system points to /bin/dash. Thanks for those tips!
Content of firewall rule-files can be seen here:
# cat /etc/firewall.conf /etc/firewall6.conf
# Generated by iptables-save v1.4.8 on Tue Jul 1 10:41:45 2014
*filter
:INPUT DROP [17:1605]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [259:30520]
-A INPUT -s 10.10.10.0/24 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -j ACCEPT
-A INPUT -s 8.8.4.4/32 -j ACCEPT
COMMIT
# Completed on Tue Jul 1 10:41:45 2014
# Generated by ip6tables-save v1.4.8 on Tue Jul 1 10:41:56 2014
*filter
:INPUT DROP [10518:992304]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Tue Jul 1 10:41:56 2014
#
If I comment out just the "iptables-restore .." line from
firewall-script and leave the "ip6tables-restore .." line uncommented,
the machine also boots without problems, i.e. it's the IPv4 iptables
rules which seem to cause the statd to fail. I modified the IPv4
rules(/etc/firewall.conf file) in a following manner:
# cat /etc/firewall.conf
# Generated by iptables-save v1.4.8 on Fri Aug 8 17:08:22 2014
*filter
:INPUT DROP [1:146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:7006]
-A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -i eth0 -j ACCEPT
-A INPUT -s 8.8.4.4/32 -i eth0 -j ACCEPT
-A INPUT -i lo0 -j ACCEPT
COMMIT
# Completed on Fri Aug 8 17:08:22 2014
#
..but this didn't help. Any other ideas?
Tom,
I suspect iptables because if I comment out the "pre-up .." line from
/etc/network/interfaces file, the machine will boot without issues. In
addition, if I comment out just the "iptables-restore .." line from
firewall-script and leave the "ip6tables-restore .." line uncommented,
the machine also boots without problems, i.e. it's the IPv4 iptables
rules which seem to cause the statd to fail.
/usr is not a separate file-system mount and all I could find
regarding NFS and statd were the "rpc.statd[1039]: unable to register
(statd, 1, udp)." messages.
Last but not least, starting the /etc/init.d/nfs-common
script("/etc/init.d/nfs-common start") took few minutes to start even
if the OS is running.
regards,
Martin
On 8/4/14, Tom H <tomh0...@gmail.com> wrote:
> On Mon, Aug 4, 2014 at 10:52 AM, Martin T <m4rtn...@gmail.com> wrote:
>>
>> I made a very simple bash script which loads the iptables
>> configuration from /etc/firewall.conf and /etc/firewall6.conf files:
>>
>> # cat /etc/init.d/firewall
>> #!/bin/bash
>>
>> iptables-restore < /etc/firewall.conf
>> ip6tables-restore < /etc/firewall6.conf
>>
>> Script is stored in /etc/init.d/ directory, but I haven't configured
>> init to load this script directly. I use the pre-up option in
>> /etc/network/interfaces instead:
>>
>> # grep pre-up /etc/network/interfaces
>> pre-up /etc/init.d/firewall
>>
>> /etc/firewall.conf and /etc/firewall6.conf contain few simple
>> allow-rules to input chain and set default policies for chains in
>> input table to drop.
>>
>> Now if I reload the machine, the bootup takes more than 6 minutes.
>> Bootlog can be seen below:
>>
>> ...
>> Mon Aug 4 15:43:39 2014: Starting portmap daemon....
>> Mon Aug 4 15:43:39 2014: Starting NFS common utilities: statdSetting
>> kernel variables ...done.
>> Mon Aug 4 15:46:39 2014: ^[[31mfailed!^[[39;49m
>> ...
>> Mon Aug 4 15:46:40 2014: startpar: service(s) returned failure:
>> nfs-common ... ^[[31mfailed!^[[39;49m
>> ...
>> Mon Aug 4 15:46:40 2014: Starting portmap daemon...Already running..
>> ...
>> Mon Aug 4 15:46:40 2014: Starting NFS common utilities: statd
>> ^[[31mfailed!^[[39;49m
>> ...
>>
>> Once the system is started, the iptables and ip6tables rules are
>> properly installed. According to log messages seen above, the problem
>> seems to be with NFS. Has anyone seen something like this before?
>
> What makes you think that it's iptables that's preventing statd?
>
> Do you have this problem when you comment out "pre-up ..."?
>
> Is there more info about nfs/statd in "/var/log/"?
>
> Is "/usr" a separate filesystem mount?
>
> Can you start nfs after the system boots?
>
> Small "style" nitpick: Since "/etc/init.d/firewall" isn't integrated
> into sysvinit, you might as well move it to
> "/etc/{,firewall,network}"; or move it to "/etc/network/pre-up.d/" and
> remove the "pre-up ..." line. I prefer installing iptables-persistent
> but you might not want to or be allowed to...
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/CAOdo=sxtvdsbnc6k7ssavoq-em_b7uekzgdzph_sjxtkqyn...@mail.gmail.com
>
>
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/CAJx5YvEZhv7W6eH17XZFTMD5wGVU_+eBcM1DeW9612j4=nq...@mail.gmail.com
