Linode Forum :: Munin Firewall Alerts

Linode Forum https://forum.linode.com/

Munin Firewall Alerts https://forum.linode.com/viewtopic.php?f=19&t=7087	Page 1 of 1

Author:	edbloom [ Fri May 06, 2011 4:56 pm ]
Post subject:	Munin Firewall Alerts
Hi all, I have munin running a while and the odd time I was getting an email alert about connections through my firewall but today I'm getting them every couple of minutes. the email has the following contents ocaldomain :: localhost.localdomain :: Connections through firewall CRITICALs: Total is 11.91 (outside range [:5]). Any idea what Munin is trying to tell me??

Author:	db3l [ Fri May 06, 2011 5:05 pm ]
Post subject:
It's a bug (or at least a bad interaction) with a difference in behavior of some shells when performing a read on the /proc filesystem. It affects (perhaps among others) recent Ubuntu and Debian releases that switched the system shell to dash. See http://www.munin-monitoring.org/ticket/1025 - if you correct the two lines in fw_conntrack per the diff in the ticket it should fix the problem, or upgrade to a corrected version if available in your preferred installation approach. -- David

Author:	edbloom [ Fri May 06, 2011 5:26 pm ]
Post subject:
db3l wrote: It's a bug (or at least a bad interaction) with a difference in behavior of some shells when performing a read on the /proc filesystem. It affects (perhaps among others) recent Ubuntu and Debian releases that switched the system shell to dash. See http://www.munin-monitoring.org/ticket/1025 - if you correct the two lines in fw_conntrack per the diff in the ticket it should fix the problem, or upgrade to a corrected version if available in your preferred installation approach. -- David Thanks a mill for catching that David so quickly. I'll see if I can apply the diff fix.

Author:	edbloom [ Fri May 06, 2011 5:35 pm ]
Post subject:
hmmm. weird one. the diff suggests replacing 2 lines of code that my version looks like it already has. This is the relevant snippet from my /usr/share/munin/plugins/fw_conntrack Code: if [ -f /proc/sys/net/ipv4/ip_conntrack_max ] ; then read MAX </proc/sys/net/ipv4/ip_conntrack_max elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then read MAX < /proc/sys/net/ipv4/netfilter/ip_conntrack_max Maybe a new bug?

Author:

edbloom [ Fri May 06, 2011 5:49 pm ]

Post subject:

actually ignore my last comment
I found another thread suggesting I switch the line of code I have.
I was reading the diff the wrong way around it would seem! Although I assumed that red highlighted text in a diff was the text to remove and green was what was added!

http://bugs.debian.org/cgi-bin/bugrepor ... =594695#24

Code:

Fix was to modify these lines:

        if [ -f /proc/sys/net/ipv4/ip_conntrack_max ] ; then
            read MAX </proc/sys/net/ipv4/ip_conntrack_max
        elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
             read MAX < /proc/sys/net/ipv4/netfilter/ip_conntrack_max
        fi

With:

        if [ -f /proc/sys/net/ipv4/ip_conntrack_max ] ; then
            MAX=$(cat /proc/sys/net/ipv4/ip_conntrack_max)
        elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
             MAX=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
        fi

Author:	db3l [ Fri May 06, 2011 7:08 pm ]
Post subject:
edbloom wrote: I was reading the diff the wrong way around it would seem! Although I assumed that red highlighted text in a diff was the text to remove and green was what was added! Hmm, red should in fact be remove and green add. At least when viewing repository commit diffs. Ah, unless you're talking about viewing the patch itself. Looking at the actual patch file, it appears to be a diff from local working copy to repository, so when viewed with the default trac view will appear backwards. But if you click on the actual committed change to the repository it shows up correctly. I should have specifically mentioned viewing the committed change to avoid confusion, sorry. -- David

Author:	edbloom [ Fri May 06, 2011 7:17 pm ]
Post subject:
db3l wrote: edbloom wrote: I was reading the diff the wrong way around it would seem! Although I assumed that red highlighted text in a diff was the text to remove and green was what was added! Hmm, red should in fact be remove and green add. At least when viewing repository commit diffs. Ah, unless you're talking about viewing the patch itself. Looking at the actual patch file, it appears to be a diff from local working copy to repository, so when viewed with the default trac view will appear backwards. But if you click on the actual committed change to the repository it shows up correctly. I should have specifically mentioned viewing the committed change to avoid confusion, sorry. -- David No worries David - I figured as much in the end. Anyway I applied the patch just over an hour ago and no more emails. Fingers crossed!

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/