Topic: recent update stopped port forwarding working

[jameswilson]

As title really. Ive done a post upgrade etc but still not working as expected.

Not sure where to start?

Thanks James

[Stefano]

since SME 11 isn't yet stable, it should be reported in bugzilla

[ReetP]

And James has an account Rocket.

He can ask there as well.

Logs will be useful.

[jameswilson]

since SME 11 isn't yet stable, it should be reported in bugzilla

True

Ill add a bug, its intermittent though but was previously solid. I stupidly applied all updates as i was going away. Live and learn.
Ill raise a bug but as usual i dont know what logs or where to look.

[jameswilson]

Update on this
Its not the update as such that stops port forwarding.
perfoming the signal event post upgrade / reboot causes a service called masq to sit at the top of 'top' and port forwarding doesnt work until whatever it is doing finishes. Once masq isnt using as much processor time port fording functions as expected

[ReetP]

"masq" is your firewall service.

[Jean-Philippe Pialasse]

only reason for masq to be slow is having thousand of entries like with a huge fail2ban list

[jameswilson]

only reason for masq to be slow is having thousand of entries like with a huge fail2ban list

Yes i do have fail2ban but would it go through the full list again on a reconfigure reboot? WOuld it not be upto date and already processed them?

[ReetP]

Goes through things repeatedly all the time. Check your logs.

If you have a lot of attacks it is extremely heavy overload all the time.

I switched to using xt_geoip for most stuff. Much faster and easier.

[ReetP]

Note - on geoip I have a set of default blocks for all services.

Global == CN,RU,VN etc

I then have say sshd only permit from a couple of countries - deny all except GB,ES

sshd !=GB,ES

I set sqpsmptd & imaps the same because ny users only ever send login from a coulle of countries.

qpsmtp (receiving mail) gets it's own list but with specific bans eg RU,KR

You check the lists to see what gets the hits and modify to suit.

It is highly effective and far less overhead.

The only issue is if you travel and want to permit access from another country be careful with country codes.

On Saturday I found MD is not the Maldives

After a long struggle I managed to get access back