[Debian-ports-devel] [lfilipoz at debian.org: scheduled downtime for Debian services at UBC (2016-01-09T16:00Z/20:00Z)]

Sun Jan 10 21:36:55 UTC 2016

On 2016-01-10 22:20, John Paul Adrian Glaubitz wrote:
> On 01/10/2016 10:12 PM, Aurelien Jarno wrote:
> > I have rebooted leda on a backport kernel in the hope it helps, because
> > I don't really have any idea about what happens. I haven't been able to
> > reproduce it myself so far.
> 
> Could it be that the firewall is just too tight for the amount of
> buildds we have now? I find the messages a bit strange so I guess
> I'll have to read some documentation first to understand how
> conntrack works.

I don't think there has been a so sudden change. The problem started on
Jan 7 at 14:43:42 UTC.

> Would it be possible that you share the conntrack configuration,
> possibly in an encrypted, private mail?

I don't think there is anything to hide here, you'll find it below.
(That reminds me we should close a few more ports now that we have moved
the services out).

Aurelien

# Generated by iptables-save v1.4.14 on Sun Jan 10 21:32:26 2016
*mangle
:PREROUTING ACCEPT [131:202292]
:INPUT ACCEPT [131:202292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:5400]
:POSTROUTING ACCEPT [90:5400]
COMMIT
# Completed on Sun Jan 10 21:32:26 2016
# Generated by iptables-save v1.4.14 on Sun Jan 10 21:32:26 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Jan 10 21:32:26 2016
# Generated by iptables-save v1.4.14 on Sun Jan 10 21:32:26 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PRIVATE - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j PRIVATE
-A INPUT -s 172.16.0.0/12 -j PRIVATE
-A INPUT -s 192.168.0.0/16 -j PRIVATE
-A INPUT -s 240.0.0.0/5 -j PRIVATE
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 10/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "[ICMP flood] "
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p igmp -j DROP
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -j PRIVATE
-A OUTPUT -d 172.16.0.0/12 -j PRIVATE
-A OUTPUT -d 192.168.0.0/16 -j PRIVATE
-A OUTPUT -d 240.0.0.0/5 -j PRIVATE
-A OUTPUT -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -j DROP
-A PRIVATE -m limit --limit 1/sec -j LOG --log-prefix "[Non-routable address] "
-A PRIVATE -j DROP
COMMIT

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                 http://www.aurel32.net