Jump to content

Monitoring/check ferm

From Wikitech
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

check_ferm is an Icinga check that ensures the ferm service is running.

ferm is a frontend for iptables. If this service fails it should not mean there are no more firewall rules but no changes can be applied until it is fixed.

Things to do

  • Confirm there are still iptables rules loaded: iptables -L
  • Check the status of systemd unit: systemctl status ferm
  • Try starting the ferm service: systemctl start ferm
  • This should show the error.
    • A common one is that a DNS name appears in the config that can't be resolved. Especially happens when IPv4 records exist but IPv6 records are missing. In this case add the missing records.
  • Look at the config files in /etc/ferm/conf.d/. If a specific one is causing the issue it's possible to stop puppet, move the file to another backup location and try starting the ferm service again.
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Monitoring/check_ferm&oldid=1824419"