Fw_upgrade version 8.3.2 minor error checks for broken snort rules resulting in no internet connection (updated)

Hi
Following a post by breda i started to look into why certain people would loose internet after the nightly snort rule updates, this would not happen all the time.

The reason for loosing internet connection is because snort detects a problem with one snort rule which causes a fatal error and snort stops running resulting in no internet.

In earlier releases of the fw_upgrade script I put in place checks for duplicate rules, then checks for snort rules with the same sid number,   thought I had it cracked but breda had a fatal error after downloading the new snort rules. As loosing internet is not really ok and for non technical people this causes big  problems or if your business relies on continues connectivity to the net, I decided to put in a check to see if after downloading the new snort rules  a fatal error occurred.

The script looks in the system logs for a message  SNORT FATAL ERROR which is created every time this error occurs , if this message is present then it means that something has gone wrong with the download or one of the snort rules has been created wrong, the script will then rename the old snort rules then delete the rule set, restart snort then download a new rule set. If after 3 attempts of downloading the rules and receiving a fatal error message it will stop downloading and I’m afraid that human intervention is needed.

I believe that this should sort the problem of no internet after downloading new snort rules which are wrongly created  (syntax errors do occur ).

If you have already have fw_upgrade version 8.3.1 then just copy new version to /sbin folder overwriting old version. If you have old version follow instruction in old post Fw_upgrade version 8.3 release

updated post
corrected error version number in script  should not be 8.3.12 but 8.3.2

fw_upgrade.fw_upgrade


roadrunnere42

Thanks, updated and works fine

Thanks Roadrunnere42

All,

I've made the various changes and updates and have ended up with something happening related to the ntp service.



Note the blank fields, local time and uptime, in the image above simply don't populate. I do have internet pass-through, so it hasn't been too high on the priority list for awhile. Note I'm not using web filter as I'm in bridge mode, so the web filter update is quite old.

There's also something going on with the memory display and the network status.

Anyone have a recommendation on what to look at fixing first? TIA.

Using the revised fw_upgrade file from above, on further inspection... I'm having these errors in the System.Log:

Fri Sep 16 07:44:40 2016 daemon.crit dnsmasq[15454]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf
Fri Sep 16 07:44:40 2016 daemon.crit dnsmasq[15454]: FAILED to start up
Fri Sep 16 07:44:42 2016 authpriv.info dropbear[13152]: Exit (root): Exited normally
Fri Sep 16 07:44:42 2016 authpriv.warn dropbear[13152]: Couldn't set SO_PRIORITY (Bad file descriptor)
Fri Sep 16 07:44:45 2016 daemon.info procd: Instance dnsmasq::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
Fri Sep 16 07:44:48 2016 daemon.err uhttpd[4694]: cat: can't open '/.shield_mode': No such file or directory
Fri Sep 16 07:44:48 2016 daemon.err uhttpd[4694]: cat: can't open '.version': No such file or directory


I don't know what is going on with dropbear, but I am able to SSH into Shield.

The ".version" file is in the root directory and the "/.shield_mode" file is not located on the Shield anywhere.


For the dnsmasq issue... the file /var/etc/dnsmasq.conf is auto-generated from /etc/config/dhcp.

In the /etc/config/dhcp file there are 2 sections with the same variable:

config dnsmasq
         option leasefile '/tmp/dhcp.leases'

config dhcp 'wan'
         option leasefile '/tmp/dhcp.leases'


Which should get the leasefile option? Or, is there no conflict if the two options call the same file?

TIA...

Hi Wisiwyg

The screen shot is showing version 8.3 and not 8.3.2 I would suggest coping over the files again and rebooting.

Also the error

Fri Sep 16 07:44:40 2016 daemon.crit dnsmasq[15454]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf

I have tracked to to the first hotfix 210 which mentions   Removed the DHCP server options from the lan interface

This only affects the bridge mode as i run in router mode and with the DHCP server option added i get not error, But in bridge mode the error happens at line 13,  the file is located in etc/config/dhcp

Yours may look different but the option ignore '1' was added in the hotfix under config dhcp 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '250'
        option leasetime '12h'
        option ra 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

Hope this helps

Roadrunnere42

Hi Roadrunnere42,

Thank you for the replies...

Odly enough, the fw_upgrade file *is* version 8.3.2, so I took a minute to edit the .version file and now done.

On illegal keyword, yes, I pretty much tracked it down to the wan interface in the config file... as mentioned earlier - there was a second 'option leasfile' statement in there for wan. AFter commenting out, the error didn't reproduce.

config dhcp 'wan'
# option leasefile '/tmp/dhcp.leases'
        option interface 'wan'
        option ignore '1'

Do you have any thoughts why the time and other fields remain blank? The Shield is working - meaning up and running and passing internet. But I don't know what is not running that might be a problem.

Still working through the problems....

The issue with 'option leasfile' didn't solve the problem. After comparing the older and new /etc/config/dhcp file I found this:

config dnsmasq
       ...
        option readethers '1'
       ...

that wasn't in the old file. After commenting it out, the error went away. Research on the 'option readethers' option indicates it should read the file '/etc/ethers' for all static leases. I don't have any static leases - mine is present and is a 0 kb length file.



Now trying to zero in on why my uptime and other times / memory fields are blank. There are these errors in the log file:

Sun Sep 18 09:30:19 2016 daemon.emerg procd: 0.us.pool.ntp.org: Unknown host
Sun Sep 18 09:30:31 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:30:43 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:30:55 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:31:07 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:31:19 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:31:19 2016 user.notice root: NTP eager clock adjust failed.
Sun Sep 18 09:31:19 2016 user.notice root: Restarted ntpclient. NTP server #1 of 4.
Sun Sep 18 09:31:32 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:31:44 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:31:56 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:32:08 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:32:20 2016 user.notice root: NTP 0.us.pool.ntp.org failed.
Sun Sep 18 09:32:20 2016 user.notice root: NTP eager clock adjust failed.
Sun Sep 18 09:32:20 2016 daemon.info procd: - init complete -

Anyone have an idea on where to get at this? I can get to 0.us.pool.ntp.org, so I know the site is live. Is this being called before there is internet pass through so the system can't make the connection?

TIA.

Does the NTP adjust work after you have throughput? I did notice this too so I have mine adjust until about a minute at the end of my startup:


..snip..

sleep 30
/etc/init.d/dropbear restart

sleep 30
 /usr/sbin/ntpclient -s -p 123 -h 0.us.pool.ntp.org || /etc/init.d/ntpclient restart

exit 0        


Then only once a month via cron.        

Thanks for the reply....

Yes, I found an instance in the logs where ntp was successful - and after internet pass was established.

I'll try your suggestion. Thank you!


On another note... looking into /etc/dnsmasq.conf and the system log error about illegal repeated key word, I find this with two entries for 'conf-file='. The 2nd is pointing to '/etc/ITUS_DNS.txt', which contains a long list of sites one would want to block. Why is that ending up in the /etc/dnsmasq.conf? What is it doing?

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast

conf-file=/etc/ITUS_DNS.txt


And now the plot thickens.... in /var/etc/dnsmasq.conf, the file looks almost like the one above, but has some differences - and only a single 'conf-file' reference:

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast

no-dhcp-interface=br-lan

Where do these two different files get generated? They both state they're auto-generted from /etc/config/dhcp, but the files have different entries that are somewhere being appended.

Hi
Have a look at this file  /etc/itus/ituswebfilter.sh

I remember  itus mentioning about the br-lan interface, maybe this is why it's listed twice ( only guessing)

Im running in router mode now and don't get any errors and it's rock solid, when i was using bridge mode i had issues with interface dropping out.

roadrunnere42

Thank you!

Took a look at the .sh file and now I see where the ITUS_DNS.txt file gets appended. But I am unsure whether it should be removed or revised - leaving things alone.

I have to stick with Bridge mode because I lean heavily on my Asus AC68U router's parental controls. Nothing like it in Shield.