Just ran across an interesting issue, and the forums I've read so far don't provide a real clear answer. I don't know that this is the answer, either, but it may be worth pursuing. This is a bit of stream-of-consciousness, by the way - my apologies.
I just set up some new servers and was in the midst of securing them. The first server I started on has a static IP, a valid gateway, valid DNS server, and all the networking checked out. On reboot, however, it would take forever to kill bind9, and then I'd see almost two minutes worth of "Waiting for network configuration." Well, there are only statically-assigned adapters present, and the loopback (which was left in its installer-default state).
I had introduced a slew of rules via iptables and I suspect they were wreaking havoc with the boot/shutdown procedures. If someone else is experiencing this problem, try nuking your iptables and make sure it doesn't reload on reboot - hopefully you'll see everything come back up quickly. UFW users would obviously need to disable ufw from operating. FWIW, I placed my iptables loader script in the /etc/network/if-pre-up.d/ folder, so it's one of the first things to crank up when networking starts.
Now, I have similar iptables configurations present on other machines, and I don't know that those machines specifically have the same problem. That being said, I really haven't rebooted them frequently enough to notice.
* * * * *
After a bit more experimentation, it appears there is some dependency on allowing OUTPUT to the loopback. Specifically, I'm looking at logs that note packets being sent from my machine's configured static address to the loopback, and consequently they're being dropped by my rules. They're TCP packets to port 953. This apparently rndc, and related to BIND, which makes sense since my other machines do not run BIND daemons.
This rule, while not the most elegant, and probably not the most correct, fixes the issue for now:
-A OUTPUT -m comment --comment "rdnc" -o lo -p tcp --dport 953 -j ACCEPT
It is probably important to note that this machine is not a gateway and so drops any packets that would be forwarded. I suppose I'm hoping this will be secure, but I just get a strange feeling something more needs to be done.
More on this later, hopefully.
No comments:
Post a Comment