Shutdown Order Of Operations

dbunyard · 11-07-2011, 10:28 AM

Had a small issue this morning when we rebooted our Untangle server. It looks like the Untangle box shuts done some modules (at least the SPAM scanning one) before it completely halts network traffic. While our volume of email is quite low (72k emails last month) this seems like this could be quite an issue at a larger cooperation that receives hundreds of thousands of emails a day if they were forced to reboot in the middle of the day. My boss was the one that noticed it as he got 3 emails one right after another that slipped through the filters un-scanned.

So I suppose my feedback is this, is it possible to have the Untangle box halt all network traffic before it shuts down the various rack modules?

Here is a screenshot showing the gap in emails and I have attached 3 messages that came through to my boss that were not scanned by Untangle:

sky-knight · 11-07-2011, 11:49 AM

This is a known issue. There is a time delay between when the kernel starts, and the UVM starts. During this window the kernel is bridging/routing packets, but the rack defenses aren't in place. There is a similar window on shutdown as well, it's just much shorter.

dbunyard · 11-07-2011, 11:51 AM

Ahh I see, I didn't realize this was a known issue. Sorry to have been a bother.

sky-knight · 11-07-2011, 11:57 AM

Not a bother, it's just the way the software works. This question crops up from time to time. It's just one of those things that gets forgotten along the way sometimes. I know Untangle has addressed it in the past, and done things to attempt to shorten that delay. Because, everyone knows there is a security issue there at least temporarily.

dbunyard · 11-07-2011, 12:21 PM

I will just have to remember to shut down the SMTP service on our Exchange server the next time I reboot Untangle. I'm just glad it was just my boss and not our CEO that got flooded with SPAM for a short time.

sky-knight · 11-07-2011, 12:32 PM

That... is not a bad idea. I'm going to have to do the same for a few sites. Stopping the STMP service is trivial and painless. I've been lucky enough that the mail servers I have online aren't busy enough to push through like that.

An alternative is a packet filter rule on Untangle to halt inbound port 25. Leave it off normally, kick it on before you reboot. That will stop traffic at a kernel level, and is active when the interfaces come online. So the SMTP won't move until you disable the rule after a reboot.

dbunyard · 11-07-2011, 12:35 PM

Quote:

Originally Posted by sky-knight

That... is not a bad idea. I'm going to have to do the same for a few sites. Stopping the STMP service is trivial and painless. I've been lucky enough that the mail servers I have online aren't busy enough to push through like that.

Yeah since my AD account is domain admin I can even remote manage the Exchange box and shut down that service for a few minutes while the Untangle box reboots. Our edge server will hold onto the mail until I bring the SMTP service back up after the UT reboot then everything will be all happy and no un-scanned emails!

dwasserman · 11-09-2011, 04:20 AM

Unplug the network patch cord of untangle meanwhile reboot

dbunyard · 11-09-2011, 04:48 AM

Quote:

Originally Posted by dwasserman

Unplug the network patch cord of untangle meanwhile reboot

lol that would be easy if I hadn't been 25 miles from its location.

choeschen · 11-09-2011, 06:48 AM

Would't the simple solution be to have UT changed the default action on iptables to block and clear out all rules on startup and shutdown? When UT is done booting it can reset the rules and default action back to how it should be. I have built my own home grown firewalls before using iptables so I know this can be done via a simple script. It does not take that much time to add a bunch of rules to iptables via a script either. I was able to run through hundreds of rules being added to iptables in a matter of seconds and that was on much older hardware then the minimum requirements UT needs.

Just my

11-07-2011, 11:49 AM	#2 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	This is a known issue. There is a time delay between when the kernel starts, and the UVM starts. During this window the kernel is bridging/routing packets, but the rack defenses aren't in place. There is a similar window on shutdown as well, it's just much shorter. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

11-07-2011, 11:51 AM	#3 (permalink)
dbunyard Join Date: Nov 2008 Location: Westerville, Ohio, USA Posts: 1,020	Ahh I see, I didn't realize this was a known issue. Sorry to have been a bother. __________________ Dan You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

11-07-2011, 11:57 AM	#4 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	Not a bother, it's just the way the software works. This question crops up from time to time. It's just one of those things that gets forgotten along the way sometimes. I know Untangle has addressed it in the past, and done things to attempt to shorten that delay. Because, everyone knows there is a security issue there at least temporarily. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

11-07-2011, 12:21 PM	#5 (permalink)
dbunyard Join Date: Nov 2008 Location: Westerville, Ohio, USA Posts: 1,020	I will just have to remember to shut down the SMTP service on our Exchange server the next time I reboot Untangle. I'm just glad it was just my boss and not our CEO that got flooded with SPAM for a short time. __________________ Dan You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

11-07-2011, 12:32 PM	#6 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	That... is not a bad idea. I'm going to have to do the same for a few sites. Stopping the STMP service is trivial and painless. I've been lucky enough that the mail servers I have online aren't busy enough to push through like that. An alternative is a packet filter rule on Untangle to halt inbound port 25. Leave it off normally, kick it on before you reboot. That will stop traffic at a kernel level, and is active when the interfaces come online. So the SMTP won't move until you disable the rule after a reboot. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons

11-09-2011, 04:20 AM	#8 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,634	Unplug the network patch cord of untangle meanwhile reboot __________________ The world is divided into 10 kinds of people, who know binary and those not

11-09-2011, 06:48 AM	#10 (permalink)
choeschen Master Untangler Join Date: Sep 2007 Posts: 126	Would't the simple solution be to have UT changed the default action on iptables to block and clear out all rules on startup and shutdown? When UT is done booting it can reset the rules and default action back to how it should be. I have built my own home grown firewalls before using iptables so I know this can be done via a simple script. It does not take that much time to add a bunch of rules to iptables via a script either. I was able to run through hundreds of rules being added to iptables in a matter of seconds and that was on much older hardware then the minimum requirements UT needs. Just my