#StackBounty: #linux #security #rabbitmq rabbitmq – worker installed on user side – security considerations

Bounty: 50

I’ve written an API which I would like to be able to write directly on the computers of my users. It already is able to write into git repositories and push but I would like a more direct way.

For this purpose, I’m writting a rabbitmq worker, that each user will have to install. They will all have 1 own rabbitmq user & 1 rabbitmq channel (to avoid the fact that they use rabbitmq to write on other users rabbitmq queues).

The worker will be launched via my-worker-ctl start $userName $userKey.
The user will be able to specify in which folders the worker can work, for example my-worker-ctl set-project-root $myProjectName $folder.

Folders in which the project are created are in general in the $USER or www-data group.

I would like to know if there is a way to limit the worker’s access to only its installation dir AND the registered directories (via my-worker-ctl set-project-root). My goal is to make the API unable to write into the user’s computer other folders, in case the API is controlled by a virus or whatever. By doing this, the API will not be a security hole.

PS: the clients will be only under Linux OS, I won’t do a worker version for other OS.


Get this bounty!!!

#StackBounty: #linux #networking #firewall netfilter TCP/UDP conntrack RELATED state with ICMP / ICMPv6

Bounty: 50

Netfilter connection tracking is designed to identify some packets as “RELATED” to a conntrack entry.

I’m looking to find the full details of TCP and UDP conntrack entries, with respect to ICMP and ICMPv6 error packets.

Specific to IPv6 firewalling, RFC 4890 clearly describes the ICMPv6 packets that shouldn’t be dropped

http://www.ietf.org/rfc/rfc4890.txt

4.3.1. Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and maintenance
of communications:

Destination Unreachable (Type 1) - All codes

Packet Too Big (Type 2)

Time Exceeded (Type 3) - Code 0 only

Parameter Problem (Type 4) - Codes 1 and 2 only

Appendix A.4 suggests some more specific checks that could be performed on Parameter Problem messages if a firewall has the

necessary packet inspection capabilities.

Connectivity checking messages:

Echo Request (Type 128)

Echo Response (Type 129)

For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be possible, it is essential that the connectivity checking messages are

allowed through the firewall. It has been common practice in IPv4
networks to drop Echo Request messages in firewalls to minimize the
risk of scanning attacks on the protected network. As discussed in
Section 3.2, the risks from port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
messages.

4.3.2. Traffic That Normally Should Not Be Dropped

Error messages other than those listed in Section 4.3.1:

Time Exceeded (Type 3) - Code 1
    Parameter Problem (Type 4) - Code 0

In the case of a linux home router, is the following rule sufficient to protect the WAN interface, while letting through RFC 4890 ICMPv6 packets? (ip6tables-save format)

*filter
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Addendum:
of course, one needs other rules for NDP and DHCP-PD:

-A INPUT -s fe80::/10 -d fe80::/10 -i wanif -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -d fe80::/10 -i wanif -p udp -m state --state NEW -m udp --sport 547 --dport 546 -j ACCEPT

In other terms, can I safely get rid of the following rules to comply with RFC 4980, keeping only the “RELATED” rule first?

-A INPUT -i wanif -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type ttl-exceeded -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT


Get this bounty!!!

#StackBounty: #linux #gpg #gpg-agent Controlling the lifetime of keys unlocked in a GnuPG agent

Bounty: 50

For (slightly) increased security, I would like to have better control of the lifetime of any unlocked keys, depending on the task being performed. Ideally, I would start an interactive sub-shell, do any tasks involving secrets, then have all unlocked keys be cleared automatically when the sub-shell exits.

I know that one can manually clear cached passphrases using gpg-connect-agent, but AFAIK that requires each key to be specified explicitly. Another option would be to set a sort cache expiry time using the --default-cache-ttl or --max-cache-ttl options for gpg-agent; but generally that means either setting a long TTL, or being asked for the same passphrase more than once.

I seem to remember that a long time ago it was possible to specify an alternative gpg-agent socket path and basically start an independent session, but that does not seem to be possible any more; newer versions seem to use a fixed path that cannot change.

So, what am I missing? Is there a way to achieve what I want?


Get this bounty!!!

#StackBounty: #linux #networking #centos #vpn #ipsec ipsec site to site vpn sometimes not work

Bounty: 100

I have a problem with ipsec(strongswan) site to site vpn on CentOS (Linux).

I have 2 tunnel in my network

Security Associations (2 up, 0 connecting):
gateway-second[2]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-second{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c016f8d5_i 0e88a657_o
gateway-second{2}:   10.10.20.1/32 === 10.5.30.144/32
gateway-first[1]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-first{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd51497c_i 118e08a0_o
gateway-first{1}:   10.10.21.1/32 === 10.5.31.26/32

So my question is, sometimes when i restart vpn server traffic going to tunnel, but sometimes not.. it very strange and i not know what search about it. Maybe you know ?

This is my ipsec.conf

conn myikesettings
  keyexchange=ikev2
  authby=secret
  left=%defaultroute
  right=XX.XX.XXX.XX
  type=tunnel
  ike=aes256-sha256-modp1024!
  esp=aes256-sha1!
  keyingtries=3
  ikelifetime=86400s
  lifetime=36000
  pfs=no
  closeaction=hold
conn gateway-first
  leftid=10.10.21.1
  leftsubnet=10.10.21.1/32
  rightsubnet=10.5.31.26/32
  also=myikesettings
  auto=start
conn gateway-second
  leftid=10.10.20.1
  leftsubnet=10.10.20.1/32
  rightsubnet=10.5.30.144/32
  also=myikesettings
  auto=start

— charon.log —

Apr  7 20:30:14 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr  7 20:30:14 00[CFG] loaded IKE secret for XX.XX.XX.XXX YY.YY.YYY.YY
Apr  7 20:30:14 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Apr  7 20:30:14 00[JOB] spawning 16 worker threads
Apr  7 20:30:14 06[CFG] received stroke: add connection 'gateway-second'
Apr  7 20:30:14 06[CFG] added configuration 'gateway-second'
Apr  7 20:30:14 07[CFG] received stroke: initiate 'gateway-second'
Apr  7 20:30:14 07[IKE] <gateway-second|1> initiating IKE_SA gateway-second[1] to YY.YY.YYY.YY
Apr  7 20:30:14 07[ENC] <gateway-second|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 07[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 09[CFG] received stroke: add connection 'gateway-first'
Apr  7 20:30:14 09[CFG] added configuration 'gateway-first'
Apr  7 20:30:14 11[CFG] received stroke: initiate 'gateway-first'
Apr  7 20:30:14 11[IKE] <gateway-first|2> initiating IKE_SA gateway-first[2] to YY.YY.YYY.YY
Apr  7 20:30:14 11[ENC] <gateway-first|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 11[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 13[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 13[ENC] <gateway-second|1> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received FRAGMENTATION vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> authentication of '10.10.21.1' (myself) with pre-shared key
Apr  7 20:30:14 13[IKE] <gateway-second|1> establishing CHILD_SA gateway-second
Apr  7 20:30:14 13[ENC] <gateway-second|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 13[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 15[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 15[ENC] <gateway-first|2> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received FRAGMENTATION vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> authentication of '10.10.20.1' (myself) with pre-shared key
Apr  7 20:30:14 15[IKE] <gateway-first|2> establishing CHILD_SA gateway-first
Apr  7 20:30:14 15[ENC] <gateway-first|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 15[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 05[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 05[ENC] <gateway-second|1> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 05[IKE] <gateway-second|1> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 05[IKE] <gateway-second|1> IKE_SA gateway-second[1] established between XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 05[IKE] <gateway-second|1> scheduling reauthentication in 85478s
Apr  7 20:30:14 05[IKE] <gateway-second|1> maximum IKE_SA lifetime 86018s
Apr  7 20:30:14 05[IKE] <gateway-second|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 05[IKE] <gateway-second|1> CHILD_SA gateway-second{1} established with SPIs c341bc05_i d8e034cf_o and TS 10.10.21.1/32 === 10.5.31.26/32
Apr  7 20:30:14 04[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 04[ENC] <gateway-first|2> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 04[IKE] <gateway-first|2> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 04[IKE] <gateway-first|2> IKE_SA gateway-first[2] established between XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 04[IKE] <gateway-first|2> scheduling reauthentication in 85371s
Apr  7 20:30:14 04[IKE] <gateway-first|2> maximum IKE_SA lifetime 85911s
Apr  7 20:30:14 04[IKE] <gateway-first|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 04[IKE] <gateway-first|2> CHILD_SA gateway-first{2} established with SPIs cc5c14b6_i d89a3328_o and TS 10.10.20.1/32 === 10.5.30.144/32


Get this bounty!!!

#StackBounty: #linux #macos #ssh #qemu #tcpdump Configure QEMU (Guest Debian-9.0 Sparc64 – Host MacOS High Sierra) to do ssh from guest…

Bounty: 50

Firstly, with a QEMU Virtual Machine (Debian Sparc64 Etch 4.0), I have been able successfully to get ssh and scp commands from Guest to Host (MacOS Hight Sierra OS 10.13.3).

I wanted only to transfer files between guest and host.

To get it, I have followed this tutorial :

1) I have installed TUN/TAP drivers

2) Launching QEMU like this :

qemu-system-sparc -boot c -hda debian_etch.img -m 512M -net nic -net tap,script=no,downscript=no

3) Once VM booted, do on MacOS host : ifconfig tap0 192.168.10.1

4) On Debian Etch host, into /etc/network/interfaces :

auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1

and doing : /etc/init.d/networking restart

5) Finally, make on guest: $ scp -r dir user_host@192.168.10.1:~/

Now, I would like to get the same thing with a “Debian Sparc64 Stretch 9.0” guest.

It seems that ifconfig is deprecated with recent versions of Debian.

Anyway, I tried to launch the Sparc64 image with :

qemu-system-sparc64 
-drive file=debian-9.0-sparc64.qcow2,if=none,id=drive-ide0-0-1,format=qcow2,cache=none 
-m 1024 
-boot c 
-net nic 
-net tap,ifname=tap0,script=no,downscript=no 
-nographic

and do again the steps 1),3),4) but unfortunately, ssh and scp from guest don’t work.

I must make notice that with this Debian Sparc64 9.0 guest, network logical name is changing (maybe for each boot). For example, /etc/network/interfaces contains :

auto enp0s5
allow-hotplug enp0s5
iface enp0s5 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1

Finally, I get from guest the following result :

# ssh user_host@192.168.10.1
  ssh: connect to host 192.168.10.1 port 22: No route to host

ip a gives :

# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global enp0s5
       valid_lft forever preferred_lft forever
    inet6 fec0::5054:ff:fe12:3456/64 scope site mngtmpaddr dynamic 
       valid_lft 86207sec preferred_lft 14207sec
    inet6 fe80::5054:ff:fe12:3456/64 scope link 
       valid_lft forever preferred_lft forever

If someone could give me some clues to fix it and get ssh/scp commands to work from guest to host (I have not network on Guest and no sshd server, so I want only the direction guest-->host for ssh/scp).

UPDATE 1:

I keep on debug this issue.

1) First, from this link, I rename at each boot the network interface of guest "Debian 9.0 Sparc64" to eth0 :

vi /etc/udev/rules.d/10-network.rules

   SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="52:54:00:12:34:56", NAME="eth0"

with MAC adress given by :

$ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe12:3456/64 scope link 
       valid_lft forever preferred_lft forever

2) I used tcpdump on TAP interface of the host MacOS High Sierra :

# tcpdump -vv -i tap0
tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:23:06.112155 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:06.112228 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:07.128440 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:07.128499 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:08.152323 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:08.152381 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:11.119346 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:11.119396 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:12.120190 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:12.120250 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:13.145028 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:13.145075 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:16.127525 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:16.127575 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28
00:23:17.145202 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.10.1 tell 192.168.10.2, length 46
00:23:17.145272 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.10.1 is-at fe:22:e7:8c:7f:fa (oui Unknown), length 28

Should I conclude that guest (192.168.10.2 on guest /etc/network/interfaces) and host (192.168.10.1 set by ifconfig tap0 192.168.10.1) are communicating, since I see both adresses with tcpdump above ?

If I do a tcpdump -vv -i tap0 on host while I restart networkin on guest, I get :

00:27:07.648620 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff12:3456 to_ex { }]
00:27:07.804644 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff12:3456 to_ex { }]
00:27:08.569140 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff12:3456: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::5054:ff:fe12:3456
      unknown option (14), length 8 (1): 
        0x0000:  3bd4 4c86 3dd6
00:27:08.612632 IP (tos 0x0, ttl 255, id 37381, offset 0, flags [none], proto UDP (17), length 118)
    192.168.10.1.mdns > 224.0.0.251.mdns: [udp sum ok] 0 PTR (QU)? 6.5.4.3.2.1.e.f.f.f.0.0.4.5.0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
00:27:09.592322 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::5054:ff:fe12:3456 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff12:3456 to_ex { }]
00:27:09.592483 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::5054:ff:fe12:3456 > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 16
      source link-address option (1), length 8 (1): 52:54:00:12:34:56
        0x0000:  5254 0012 3456
00:27:09.616466 IP (tos 0x0, ttl 255, id 18614, offset 0, flags [none], proto UDP (17), length 118)
    192.168.10.1.mdns > 224.0.0.251.mdns: [udp sum ok] 0 PTR (QM)? 6.5.4.3.2.1.e.f.f.f.0.0.4.5.0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
00:27:09.976787 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::5054:ff:fe12:3456 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff12:3456 to_ex { }]

Are there useful informations in these messages, in order to get ssh/scp from guest to host ?

Finally, is it normal to have the following state (UNKNOWN) for guest eth0 :

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN 

??

UPDATE 2: I tried also to launch by using guestfwd flag with “-net tap” flag like this :

qemu-system-sparc64 
-boot c 
-hda debian-9.0-sparc64.qcow2 
-net nic 
-net tap,ifname=tap0,script=no,downscript=no 
-net 'user,guestfwd=tcp::22-tcp::22' 
-m 1024 
-nographic 

But still no ssh access from guest to host.

I don’t know if, into -net 'user,guestfwd=tcp::22-tcp::22', in which order I have to put the IP of guest and host and the ports to use for each of them (I used here 22 for both)

If someone could give me some precisions about “guestfwd” flag.

Regards


Get this bounty!!!

#StackBounty: #c #linux #performance #epoll #event-loop Eventloop has high ksoftirqd load; nginx does not but does same system-calls. W…

Bounty: 50

I wrote some code that has an epoll-eventloop, accepts new connections and pretends to be a http-server.
The posted code is the absolute minimum … I removed everything (including all error-checks) to make it as short and to the point as possible:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/epoll.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <unistd.h>


int main () {
    int servFd = socket (AF_INET, SOCK_STREAM | SOCK_NONBLOCK | SOCK_CLOEXEC, IPPROTO_IP);
    int value = 1;
    setsockopt (servFd, SOL_SOCKET, SO_REUSEADDR, &value, sizeof (value));

    struct sockaddr_in servAddr;
    memset (&servAddr, 0, sizeof (servAddr));
    servAddr.sin_family = AF_INET;
    servAddr.sin_addr.s_addr = 0;
    servAddr.sin_port = htons (8081);
    bind (servFd, (struct sockaddr*)&servAddr, sizeof (servAddr));
    listen (servFd, 511);

    int efd = epoll_create1 (EPOLL_CLOEXEC);
    struct epoll_event epollEvt;
    epollEvt.events = EPOLLIN | EPOLLRDHUP;
    epollEvt.data.u32 = servFd;
    epoll_ctl (efd, EPOLL_CTL_ADD, servFd, &epollEvt);

    for (;;) {
        struct epoll_event pollEvent[512];
        int eventCount = epoll_wait (efd, pollEvent, 512, -1);
        for (int i = 0; i < eventCount; ++i) {
            struct epoll_event* curEvent = &pollEvent[i];
            if (curEvent->data.u32 == servFd) {
                int clientFd = accept4 (servFd, NULL, NULL, SOCK_NONBLOCK | SOCK_CLOEXEC);
                struct epoll_event epollEvt;
                epollEvt.events = EPOLLIN | EPOLLRDHUP | EPOLLET;
                epollEvt.data.u32 = clientFd;
                epoll_ctl (efd, EPOLL_CTL_ADD, clientFd, &epollEvt);
                continue;
            }

            int clientFd = curEvent->data.u32;
            char recvBuffer[2048];
            recvfrom (clientFd, recvBuffer, 2048, 0, NULL, NULL);
            char sndMsg[] = "HTTP/1.0 200 OKnServer: TestnDate: Sun, 14 May 2017 15:40:26 GMTnContent-type: text/htmlnnHello world!";
            size_t sndMsgLength = sizeof (sndMsg) - 1;
            struct iovec sndBuffer;
            sndBuffer.iov_base = sndMsg;
            sndBuffer.iov_len = sndMsgLength;
            writev (clientFd, &sndBuffer, 1);
            close (clientFd);
        }
    }
    return 0;
}

localhost:~# gcc -Wall test.c -o test

localhost:~# gcc --version
gcc (Alpine 6.4.0) 6.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

I did some load-testing of this code and compared it with nginx to see if I did something wrong or if there is something to improve. I expected this code to be the fastest possible implementation since every other “real” webserver has to do a lot more stuff in userspace. But still … somehow nginx beats it in requests per second when using multiple load-generator threads. (Note that I configured nginx to use just one worker to handle every request)

//ab running 1 worker from local machine 
localhost:~# ab -n 100000 -c 1 http://10.0.0.111:8081/index.html
Requests per second:    13228.07 [#/sec] (mean)  //[to nginx]
Requests per second:    15300.35 [#/sec] (mean)  //[to testcode]
//ab running 4 worker from local machine 
localhost:~# ab -n 100000 -c 4 http://10.0.0.111:8081/index.html
Requests per second:    30902.63 [#/sec] (mean)  //[to nginx]
Requests per second:    24734.76 [#/sec] (mean)  //[to testcode]

The first test has the expected result … the test code is faster since it doesn’t do anything except generating a hard-coded response. But why is nginx faster in a multi-threading setting? How can that be?
The only explanation I can come up with is that there is something different in kernel-space and that nginx uses some sockopts (like TCP_FASTOPEN or TCP_DEFER_ACCEPT) or maybe some other system-calls to do its thing. Thats why I did some straces and made my code do the exact same thing as nginx does (from a kernel-perspective) –> you can see the strace attached below. Still … it is faster and I don’t understand why.

//ab running 50 worker from remote machine 
localhost:~# ab -n 100000 -c 50 http://10.0.0.111:8081/index.html
Requests per second:    27507.60 [#/sec] (mean)  //[to nginx]
Requests per second:    24208.51 [#/sec] (mean)  //[to testcode]

This test-cast has the exact same result but I noticed some difference in CPU-usage.

  • My test-code runs at about 60% CPU-load and ksoftirqd/0 runs at about 80%
  • nginx runs at about 99% CPU-load and ksoftirqd/0 runs at just 30%
  • ksoftirqd/0 has no noticeable CPU-load in the local-host setting in both cases

sTrace of nginx:

localhost:~# strace -tt -f /usr/sbin/nginx 
13:28:20.413497 execve("/usr/sbin/nginx", ["/usr/sbin/nginx"], 0x7a59e3d96490 /* 16 vars */) = 0
13:28:20.413987 arch_prctl(ARCH_SET_FS, 0x74ae1cf94b88) = 0
13:28:20.414161 set_tid_address(0x74ae1cf94bc0) = 2186
13:28:20.414350 open("/etc/ld-musl-x86_64.path", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
13:28:20.414519 open("/lib/libpcre.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
13:28:20.414679 open("/usr/local/lib/libpcre.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
13:28:20.414886 open("/usr/lib/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
13:28:20.415067 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
13:28:20.415230 fstat(3, {st_mode=S_IFREG|0755, st_size=370360, ...}) = 0
13:28:20.415415 read(3, "177ELF2113>1@24"..., 960) = 960
13:28:20.415599 mmap(NULL, 2469888, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x74ae1caa9000
13:28:20.415809 mmap(0x74ae1cd02000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x59000) = 0x74ae1cd02000
13:28:20.416020 close(3)                = 0
13:28:20.416218 open("/lib/libssl.so.44", O_RDONLY|O_CLOEXEC) = 3
13:28:20.416396 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
13:28:20.416517 fstat(3, {st_mode=S_IFREG|0755, st_size=309664, ...}) = 0
13:28:20.416692 read(3, "177ELF2113>1pv1"..., 960) = 960
13:28:20.416939 mmap(NULL, 2408448, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x74ae1c85d000
13:28:20.417120 mmap(0x74ae1caa1000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x44000) = 0x74ae1caa1000
13:28:20.417337 close(3)                = 0
13:28:20.417504 open("/lib/libcrypto.so.42", O_RDONLY|O_CLOEXEC) = 3
13:28:20.417644 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
13:28:20.417802 fstat(3, {st_mode=S_IFREG|0755, st_size=1714280, ...}) = 0
13:28:20.418090 read(3, "177ELF2113>10046"..., 960) = 960
13:28:20.418269 mmap(NULL, 3825664, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x74ae1c4b7000
13:28:20.418472 mmap(0x74ae1c836000, 159744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x17f000) = 0x74ae1c836000
13:28:20.418808 mmap(0x74ae1c859000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x74ae1c859000
13:28:20.419067 close(3)                = 0
13:28:20.419280 open("/lib/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
13:28:20.419478 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
13:28:20.419716 fstat(3, {st_mode=S_IFREG|0755, st_size=91952, ...}) = 0
13:28:20.419901 read(3, "177ELF2113>1260!"..., 960) = 960
13:28:20.420065 mmap(NULL, 2191360, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x74ae1c2a0000
13:28:20.420246 mmap(0x74ae1c4b5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x15000) = 0x74ae1c4b5000
13:28:20.420429 close(3)                = 0
13:28:20.420621 mprotect(0x74ae1cd02000, 4096, PROT_READ) = 0
13:28:20.420932 mprotect(0x74ae1caa1000, 16384, PROT_READ) = 0
13:28:20.421552 mprotect(0x74ae1c836000, 118784, PROT_READ) = 0
13:28:20.421794 mprotect(0x74ae1c4b5000, 4096, PROT_READ) = 0
13:28:20.422001 mprotect(0x74ae1cf91000, 4096, PROT_READ) = 0
13:28:20.422309 mprotect(0xd10421a5000, 8192, PROT_READ) = 0
13:28:20.422553 brk(NULL)               = 0xd104602de80
13:28:20.422687 brk(0xd1046032000)      = 0xd1046032000
13:28:20.423269 brk(0xd1046033000)      = 0xd1046033000
13:28:20.423621 brk(0xd1046034000)      = 0xd1046034000
13:28:20.423875 brk(0xd1046035000)      = 0xd1046035000
13:28:20.424206 brk(0xd1046036000)      = 0xd1046036000
13:28:20.424570 brk(0xd1046037000)      = 0xd1046037000
13:28:20.424861 brk(0xd1046038000)      = 0xd1046038000
13:28:20.425098 brk(0xd1046039000)      = 0xd1046039000
13:28:20.425435 brk(0xd104603a000)      = 0xd104603a000
13:28:20.425605 brk(0xd104603b000)      = 0xd104603b000
13:28:20.425826 brk(0xd104603c000)      = 0xd104603c000
13:28:20.426096 brk(0xd104603d000)      = 0xd104603d000
13:28:20.426369 open("/etc/localtime", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 3
13:28:20.426549 fstat(3, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
13:28:20.426723 mmap(NULL, 127, PROT_READ, MAP_SHARED, 3, 0) = 0x74ae1cf8c000
13:28:20.426847 close(3)                = 0
13:28:20.427023 getpid()                = 2186
13:28:20.427164 open("/var/lib/nginx/logs/error.log", O_WRONLY|O_CREAT|O_APPEND, 0644) = 3
13:28:20.427341 brk(0xd104603e000)      = 0xd104603e000
13:28:20.427503 open("/etc/ssl/openssl.cnf", O_RDONLY) = 4
13:28:20.427680 brk(0xd104603f000)      = 0xd104603f000
13:28:20.427819 readv(4, [{iov_base="", iov_len=0}, {iov_base="[ req ]n#default_bitstt= 2048n#d"..., iov_len=1024}], 2) = 745
13:28:20.428089 brk(0xd1046040000)      = 0xd1046040000
13:28:20.428243 readv(4, [{iov_base="", iov_len=0}, {iov_base="", iov_len=1024}], 2) = 0
13:28:20.428476 close(4)                = 0
13:28:20.428718 brk(0xd1046041000)      = 0xd1046041000
13:28:20.428880 brk(0xd1046042000)      = 0xd1046042000
13:28:20.429179 brk(0xd1046043000)      = 0xd1046043000
13:28:20.429319 brk(0xd1046044000)      = 0xd1046044000
13:28:20.429552 brk(0xd1046045000)      = 0xd1046045000
13:28:20.429775 brk(0xd1046046000)      = 0xd1046046000
13:28:20.429935 brk(0xd1046047000)      = 0xd1046047000
13:28:20.430220 brk(0xd1046048000)      = 0xd1046048000
13:28:20.430391 brk(0xd1046049000)      = 0xd1046049000
13:28:20.430515 brk(0xd104604b000)      = 0xd104604b000
13:28:20.430796 brk(0xd104604c000)      = 0xd104604c000
13:28:20.431042 brk(0xd104604d000)      = 0xd104604d000
13:28:20.431238 brk(0xd104604e000)      = 0xd104604e000
13:28:20.431396 brk(0xd104604f000)      = 0xd104604f000
13:28:20.431581 brk(0xd1046050000)      = 0xd1046050000
13:28:20.431820 brk(0xd1046051000)      = 0xd1046051000
13:28:20.432112 brk(0xd1046054000)      = 0xd1046054000
13:28:20.432374 brk(0xd1046055000)      = 0xd1046055000
13:28:20.432509 brk(0xd1046056000)      = 0xd1046056000
13:28:20.432666 brk(0xd1046057000)      = 0xd1046057000
13:28:20.432836 brk(0xd1046058000)      = 0xd1046058000
13:28:20.433004 brk(0xd1046059000)      = 0xd1046059000
13:28:20.433203 brk(0xd104605a000)      = 0xd104605a000
13:28:20.433400 brk(0xd104605b000)      = 0xd104605b000
13:28:20.433610 brk(0xd104605c000)      = 0xd104605c000
13:28:20.433740 brk(0xd104605d000)      = 0xd104605d000
13:28:20.433895 brk(0xd104605e000)      = 0xd104605e000
13:28:20.434020 brk(0xd104605f000)      = 0xd104605f000
13:28:20.434240 brk(0xd1046060000)      = 0xd1046060000
13:28:20.434419 brk(0xd1046061000)      = 0xd1046061000
13:28:20.434622 uname({sysname="Linux", nodename="localhost", ...}) = 0
13:28:20.434801 sched_getaffinity(0, 128, [0, 1, 2, 3, 4, 5]) = 32
13:28:20.435077 prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
13:28:20.435260 brk(0xd1046066000)      = 0xd1046066000
13:28:20.435424 uname({sysname="Linux", nodename="localhost", ...}) = 0
13:28:20.435578 brk(0xd104606b000)      = 0xd104606b000
13:28:20.435700 open("/etc/nginx/nginx.conf", O_RDONLY) = 4
13:28:20.435912 fstat(4, {st_mode=S_IFREG|0644, st_size=2781, ...}) = 0
13:28:20.436115 pread64(4, "nnnuser nginx;npcre_jit on;n#tim"..., 2781, 0) = 2781
13:28:20.436284 geteuid()               = 0
13:28:20.436440 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 5
13:28:20.436596 fcntl(5, F_SETFD, FD_CLOEXEC) = 0
13:28:20.436725 fcntl(5, F_SETFD, FD_CLOEXEC) = 0
13:28:20.436857 readv(5, [{iov_base="", iov_len=0}, {iov_base="root:x:0:0:root:/root:/bin/ashnb"..., iov_len=1024}], 2) = 1024
13:28:20.437047 readv(5, [{iov_base="", iov_len=0}, {iov_base="sbin/nologinnntp:x:123:123:NTP:/"..., iov_len=1024}], 2) = 397
13:28:20.437235 lseek(5, -43, SEEK_CUR) = 1378
13:28:20.437353 close(5)                = 0
13:28:20.437520 open("/etc/group", O_RDONLY|O_CLOEXEC) = 5
13:28:20.437684 fcntl(5, F_SETFD, FD_CLOEXEC) = 0
13:28:20.437800 fcntl(5, F_SETFD, FD_CLOEXEC) = 0
13:28:20.437933 readv(5, [{iov_base="", iov_len=0}, {iov_base="root:x:0:rootnbin:x:1:root,bin,d"..., iov_len=1024}], 2) = 776
13:28:20.438097 close(5)                = 0
13:28:20.438240 epoll_create1(0)        = 5
13:28:20.438429 close(5)                = 0
13:28:20.438681 brk(0xd1046070000)      = 0xd1046070000
13:28:20.438842 brk(0xd1046072000)      = 0xd1046072000
13:28:20.439053 brk(0xd1046074000)      = 0xd1046074000
13:28:20.439175 brk(0xd1046076000)      = 0xd1046076000
13:28:20.439418 brk(0xd104607b000)      = 0xd104607b000
13:28:20.439655 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x74ae1ce8b000
13:28:20.439886 brk(0xd1046080000)      = 0xd1046080000
13:28:20.440020 brk(0xd1046085000)      = 0xd1046085000
13:28:20.440225 open("/etc/nginx/mime.types", O_RDONLY) = 5
13:28:20.440380 fstat(5, {st_mode=S_IFREG|0644, st_size=3957, ...}) = 0
13:28:20.440523 pread64(5, "ntypes {n    text/html          "..., 3957, 0) = 3957
13:28:20.440725 close(5)                = 0
13:28:20.440977 brk(0xd104608a000)      = 0xd104608a000
13:28:20.441297 brk(0xd104608c000)      = 0xd104608c000
13:28:20.441453 close(4)                = 0
13:28:20.441587 mkdir("/var/tmp/nginx/client_body", 0700) = -1 EEXIST (File exists)
13:28:20.441814 stat("/var/tmp/nginx/client_body", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
13:28:20.442022 mkdir("/var/tmp/nginx/proxy", 0700) = -1 EEXIST (File exists)
13:28:20.442149 stat("/var/tmp/nginx/proxy", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
13:28:20.442257 mkdir("/var/tmp/nginx/fastcgi", 0700) = -1 EEXIST (File exists)
13:28:20.442407 stat("/var/tmp/nginx/fastcgi", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
13:28:20.442568 mkdir("/var/tmp/nginx/uwsgi", 0700) = -1 EEXIST (File exists)
13:28:20.442732 stat("/var/tmp/nginx/uwsgi", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
13:28:20.442945 mkdir("/var/tmp/nginx/scgi", 0700) = -1 EEXIST (File exists)
13:28:20.443051 stat("/var/tmp/nginx/scgi", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
13:28:20.443229 open("/var/log/nginx/access.log", O_WRONLY|O_CREAT|O_APPEND, 0644) = 4
13:28:20.443417 fcntl(4, F_SETFD, FD_CLOEXEC) = 0
13:28:20.443586 open("/var/log/nginx/error.log", O_WRONLY|O_CREAT|O_APPEND, 0644) = 5
13:28:20.443750 fcntl(5, F_SETFD, FD_CLOEXEC) = 0
13:28:20.443889 open("/var/lib/nginx/logs/error.log", O_WRONLY|O_CREAT|O_APPEND, 0644) = 6
13:28:20.444040 fcntl(6, F_SETFD, FD_CLOEXEC) = 0
13:28:20.444197 mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0x74ae1c0a0000
13:28:20.444382 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 7
13:28:20.444515 setsockopt(7, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
13:28:20.444680 ioctl(7, FIONBIO, [1])  = 0
13:28:20.444808 bind(7, {sa_family=AF_INET, sin_port=htons(8081), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
13:28:20.445015 listen(7, 511)          = 0
13:28:20.445140 listen(7, 511)          = 0
13:28:20.445326 mmap(NULL, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x74ae1ce7b000
13:28:20.445493 prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=4*1024}) = 0
13:28:20.445671 mmap(NULL, 1280, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0x74ae1ce7a000
13:28:20.445817 rt_sigprocmask(SIG_UNBLOCK, [RT_1 RT_2], NULL, 8) = 0
13:28:20.445977 rt_sigaction(SIGHUP, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.446097 rt_sigaction(SIGUSR1, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.446247 rt_sigaction(SIGWINCH, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.446438 rt_sigaction(SIGTERM, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.446635 rt_sigaction(SIGQUIT, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.446886 rt_sigaction(SIGUSR2, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.447093 rt_sigaction(SIGALRM, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.447236 rt_sigaction(SIGINT, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.447446 rt_sigaction(SIGIO, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.447767 rt_sigaction(SIGCHLD, {sa_handler=0xd1041f1f3fc, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.447888 rt_sigaction(SIGSYS, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.448094 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x74ae1cd4a6cf}, NULL, 8) = 0
13:28:20.448253 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
13:28:20.448396 fork(strace: Process 2187 attached
)                  = 2187
[pid  2187] 13:28:20.448594 gettid( <unfinished ...>
[pid  2186] 13:28:20.448643 rt_sigprocmask(SIG_SETMASK, [],  <unfinished ...>
[pid  2187] 13:28:20.448671 <... gettid resumed> ) = 2187
[pid  2186] 13:28:20.448700 <... rt_sigprocmask resumed> NULL, 8) = 0
[pid  2187] 13:28:20.448765 rt_sigprocmask(SIG_SETMASK, [],  <unfinished ...>
[pid  2186] 13:28:20.448792 exit_group(0 <unfinished ...>
[pid  2187] 13:28:20.448812 <... rt_sigprocmask resumed> NULL, 8) = 0
[pid  2186] 13:28:20.448836 <... exit_group resumed>) = ?
[pid  2187] 13:28:20.448854 getpid()    = 2187
[pid  2187] 13:28:20.448951 setsid( <unfinished ...>
[pid  2186] 13:28:20.449046 +++ exited with 0 +++
13:28:20.449055 <... setsid resumed> )  = 2187
13:28:20.449107 umask(000)              = 022
13:28:20.449212 open("/dev/null", O_RDWR) = 8
13:28:20.449309 dup2(8, 0)              = 0
13:28:20.449455 dup2(8, 1)              = 1
13:28:20.449573 close(8)                = 0
13:28:20.449692 open("/run/nginx/nginx.pid", O_RDWR|O_CREAT|O_TRUNC, 0644) = 8
13:28:20.449848 pwrite64(8, "2187n", 5, 0) = 5
13:28:20.449978 close(8)                = 0
13:28:20.450111 dup2(6, 2)              = 2
13:28:20.450218 close(3)                = 0
13:28:20.450376 rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], NULL, 8) = 0
13:28:20.450499 socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 8]) = 0
13:28:20.450603 ioctl(3, FIONBIO, [1])  = 0
13:28:20.450696 ioctl(8, FIONBIO, [1])  = 0
13:28:20.450830 ioctl(3, FIOASYNC, [1]) = 0
13:28:20.450964 fcntl(3, F_SETOWN, 2187) = 0
13:28:20.451079 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
13:28:20.451148 fcntl(8, F_SETFD, FD_CLOEXEC) = 0
13:28:20.451244 rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], 8) = 0
13:28:20.451379 fork(strace: Process 2188 attached
 <unfinished ...>
[pid  2188] 13:28:20.451596 gettid( <unfinished ...>
[pid  2187] 13:28:20.451615 <... fork resumed> ) = 2188
[pid  2187] 13:28:20.451727 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO],  <unfinished ...>
[pid  2188] 13:28:20.451754 <... gettid resumed> ) = 2188
[pid  2187] 13:28:20.451774 <... rt_sigprocmask resumed> NULL, 8) = 0
[pid  2188] 13:28:20.451942 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO],  <unfinished ...>
[pid  2187] 13:28:20.451969 rt_sigsuspend([], 8 <unfinished ...>
[pid  2188] 13:28:20.451985 <... rt_sigprocmask resumed> NULL, 8) = 0
[pid  2188] 13:28:20.452053 getpid()    = 2188
[pid  2188] 13:28:20.452330 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], 8) = 0
[pid  2188] 13:28:20.452621 rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
[pid  2188] 13:28:20.452893 prlimit64(0, RLIMIT_NOFILE, {rlim_cur=8*1024, rlim_max=8*1024}, NULL) = 0
[pid  2188] 13:28:20.453075 futex(0x74ae1cf95064, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid  2188] 13:28:20.453279 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], NULL, 8) = 0
[pid  2188] 13:28:20.453487 geteuid()   = 0
[pid  2188] 13:28:20.453667 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], 8) = 0
[pid  2188] 13:28:20.453861 rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
[pid  2188] 13:28:20.454091 setgid(103) = 0
[pid  2188] 13:28:20.454335 futex(0x74ae1cf95064, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid  2188] 13:28:20.454583 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], NULL, 8) = 0
[pid  2188] 13:28:20.454822 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 9
[pid  2188] 13:28:20.455183 connect(9, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 24) = -1 ENOENT (No such file or directory)
[pid  2188] 13:28:20.455537 close(9)    = 0
[pid  2188] 13:28:20.455800 open("/etc/group", O_RDONLY|O_CLOEXEC) = 9
[pid  2188] 13:28:20.456030 fcntl(9, F_SETFD, FD_CLOEXEC) = 0
[pid  2188] 13:28:20.456331 fcntl(9, F_SETFD, FD_CLOEXEC) = 0
[pid  2188] 13:28:20.456544 readv(9, [{iov_base="", iov_len=0}, {iov_base="root:x:0:rootnbin:x:1:root,bin,d"..., iov_len=1024}], 2) = 776
[pid  2188] 13:28:20.456799 readv(9, [{iov_base="", iov_len=0}, {iov_base="", iov_len=1024}], 2) = 0
[pid  2188] 13:28:20.456956 close(9)    = 0
[pid  2188] 13:28:20.457134 setgroups(3, [103, 82, 103]) = 0
[pid  2188] 13:28:20.457365 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], 8) = 0
[pid  2188] 13:28:20.457534 rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
[pid  2188] 13:28:20.457818 setuid(102) = 0
[pid  2188] 13:28:20.457990 futex(0x74ae1cf95064, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid  2188] 13:28:20.458159 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT USR1 USR2 ALRM TERM CHLD WINCH IO], NULL, 8) = 0
[pid  2188] 13:28:20.458378 prctl(PR_SET_DUMPABLE, SUID_DUMP_USER) = 0
[pid  2188] 13:28:20.458598 chdir("/var/www") = 0
[pid  2188] 13:28:20.458868 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  2188] 13:28:20.459703 epoll_create1(0) = 9
[pid  2188] 13:28:20.459994 eventfd2(0, 0) = 10
[pid  2188] 13:28:20.460340 epoll_ctl(9, EPOLL_CTL_ADD, 10, {EPOLLIN|EPOLLET, {u32=1109208384, u64=14363479846208}}) = 0
[pid  2188] 13:28:20.460600 eventfd2(0, 0) = 11
[pid  2188] 13:28:20.460878 ioctl(11, FIONBIO, [1]) = 0
[pid  2188] 13:28:20.461043 io_setup(32, [0x74ae1ce79000]) = 0
[pid  2188] 13:28:20.461389 epoll_ctl(9, EPOLL_CTL_ADD, 11, {EPOLLIN|EPOLLET, {u32=1109208032, u64=14363479845856}}) = 0
[pid  2188] 13:28:20.461729 socketpair(AF_UNIX, SOCK_STREAM, 0, [12, 13]) = 0
[pid  2188] 13:28:20.462043 epoll_ctl(9, EPOLL_CTL_ADD, 12, {EPOLLIN|EPOLLRDHUP|EPOLLET, {u32=1109208032, u64=14363479845856}}) = 0
[pid  2188] 13:28:20.462255 close(13)   = 0
[pid  2188] 13:28:20.462608 epoll_pwait(9, [{EPOLLIN|EPOLLHUP|EPOLLRDHUP, {u32=1109208032, u64=14363479845856}}], 1, 5000, NULL, 8) = 1
[pid  2188] 13:28:20.462969 close(12)   = 0
[pid  2188] 13:28:20.463325 mmap(NULL, 987136, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x74ae1bfaf000
[pid  2188] 13:28:20.463517 mmap(NULL, 397312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x74ae1ce18000
[pid  2188] 13:28:20.464039 mmap(NULL, 397312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x74ae1cdb7000
[pid  2188] 13:28:20.466039 epoll_ctl(9, EPOLL_CTL_ADD, 7, {EPOLLIN|EPOLLRDHUP, {u32=469430304, u64=128291142561824}}) = 0
[pid  2188] 13:28:20.466432 close(3)    = 0
[pid  2188] 13:28:20.466763 epoll_ctl(9, EPOLL_CTL_ADD, 8, {EPOLLIN|EPOLLRDHUP, {u32=469430544, u64=128291142562064}}) = 0
//Eventloop starts here
[pid  2188] 13:28:20.467046 epoll_pwait(9, [{EPOLLIN, {u32=469430304, u64=128291142561824}}], 512, -1, NULL, 8) = 1
[pid  2188] 13:28:34.390021 accept4(7, {sa_family=AF_INET, sin_port=htons(54280), sin_addr=inet_addr("10.0.0.15")}, [112->16], SOCK_NONBLOCK) = 3
[pid  2188] 13:28:34.390110 epoll_ctl(9, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLRDHUP|EPOLLET, {u32=469430784, u64=128291142562304}}) = 0
[pid  2188] 13:28:34.390188 epoll_pwait(9, [{EPOLLIN, {u32=469430784, u64=128291142562304}}], 512, 30000, NULL, 8) = 1
[pid  2188] 13:28:34.390245 recvfrom(3, "GET /index.html HTTP/1.0rnHost: "..., 2048, 0, NULL, NULL) = 93
[pid  2188] 13:28:34.390462 writev(3, [{iov_base="HTTP/1.1 200 OKrnServer: nginxrn"..., iov_len=134}], 1) = 134
[pid  2188] 13:28:34.390602 close(3)    = 0

sTrace of the test-code:

localhost:/~# strace -tt -f ./test 
13:31:19.964887 execve("./test", ["./test"], 0x721039661e10 /* 16 vars */) = 0
13:31:20.086769 arch_prctl(ARCH_SET_FS, 0x70311bc79b88) = 0
13:31:20.087599 set_tid_address(0x70311bc79bc0) = 2199
13:31:20.088375 mprotect(0x70311bc76000, 4096, PROT_READ) = 0
13:31:20.088717 mprotect(0x268c786b000, 4096, PROT_READ) = 0
13:31:20.088964 socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3
13:31:20.089232 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
13:31:20.089402 bind(3, {sa_family=AF_INET, sin_port=htons(8081), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
13:31:20.089579 listen(3, 511)          = 0
13:31:20.089797 epoll_create1(EPOLL_CLOEXEC) = 4
13:31:20.090018 epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLRDHUP, {u32=3, u64=3}}) = 0
13:31:20.090235 epoll_pwait(4, [{EPOLLIN, {u32=3, u64=3}}], 512, -1, NULL, 8) = 1
13:31:24.078593 accept4(3, NULL, NULL, SOCK_CLOEXEC|SOCK_NONBLOCK) = 5
13:31:24.078847 epoll_ctl(4, EPOLL_CTL_ADD, 5, {EPOLLIN|EPOLLRDHUP|EPOLLET, {u32=5, u64=5}}) = 0
13:31:24.079024 epoll_pwait(4, [{EPOLLIN, {u32=5, u64=5}}], 512, -1, NULL, 8) = 1
13:31:24.079197 recvfrom(5, "GET /index.html HTTP/1.0rnHost: "..., 2048, 0, NULL, NULL) = 93
13:31:24.079407 writev(5, [{iov_base="HTTP/1.0 200 OKnServer: TestnDat"..., iov_len=102}], 1) = 102
13:31:24.079604 close(5)                = 0

Edit:
I did some more traceing … 400000 request from a remote host … still no clue why this happens:

localhost:/~# strace -c -f /usr/sbin/nginx 
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 47.11    0.040309           0    400000           writev
 44.55    0.038115           0    400021           close
  3.11    0.002658           0    400002           accept4
  1.80    0.001538           0    400002           recvfrom
  1.74    0.001486           0    400007           epoll_ctl
  1.69    0.001450           0    400008           epoll_pwait

localhost:/~# strace -c -f ./test 
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 47.90    0.042760           0    400002           writev
 44.27    0.039518           0    400002           close
  3.13    0.002793           0    400002           accept4
  1.80    0.001610           0    400002           recvfrom
  1.57    0.001400           0    400005           epoll_pwait
  1.33    0.001183           0    400003           epoll_ctl


Get this bounty!!!

#StackBounty: #linux #networking #amazon-web-services #docker Docker container not accessible after X minutes in AWS

Bounty: 100

I have a docker container (from sonarqube image) running on AWS and it was not remotely accessible. I was able to access only through ssh.

To fix my problem, I need to run this command:

$ sysctl net.ipv4.ip_forward=1

The problem is that after some minutes (of after some event) this flag is reverted back to net.ipv4.ip_forward=0. Something is automatically adding a row in this file:

#-> grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 0

Somebody knows what can be the cause? Maybe is some configuration on AWS?


Get this bounty!!!

#StackBounty: #linux #email #classification An alternative to POPFile email classifier

Bounty: 50

I have been using POPFile for years – but it hasn’t been updated for years.

POPFile is a bayesian email classifier. Normally you’d associate this with spam – is it spam or is it not spam. Bayesian filters are great for this. But POPFile is much more, as it can classify all your email.

So I have a series of folders set up in my IMAP account that I have told POPFile about. POPFile watches what is in those folders, and automatically files similar emails into the same folders as they arrive into INBOX. It tokenises the entire email to achieve this, and almost as a side effect detects and files spam.

I get more than 95% accuracy with POPFile, and it means I don’t have to set up a single rule for automatic filing.

I am concerned that POPFile will stop functioning, as it loses compatibility.

Does anyone know of a similar thing? I have looked at SaneBox, which kind of gets there, but I’d like something that I run myself.

All the searches I do suggest alternatives that are spam filters – I don’t need a spam filter – in fact, my email client does a good job at filtering spam without popfile.

In order of preference I’d says FOSS first, but if paid then so be it. As for how it functions, Linux-based would be ideal so I can have it headless, and if it was a clever sieve type approach, that would be fine, but an IMAP solution would work with any server.


Get this bounty!!!

#StackBounty: #linux #firewalls #sql-injection #iptables #sip SIP UDP request breaking through iptables

Bounty: 50

I have been investigating a few instances recently where SIP UDP traffic has been somehow evading the ruleset defined in iptables leading me to suspect that there is a hole in our rules so i’m looking for advice on how to bolster defences on the local system. We have a firewall ahead of this server which could be improved however it seems important that this issue is understood before we look into additional measures, as such this question is directly regarding local server defences – specifically iptables.

The SIP packets are starting to include SQL injection attempts and I am concerned that without being directly addressed the application may eventually be compromised. At present the “caller” manages to establish a call which simply plays our no service announcement so they are getting a SIP conversation started with the local server – not ideal!

I’ve copied details below with a consistent redaction scheme however if additional information is required please comment below and i’ll put it up.

Appreciate any advice, thanks for taking a look!

ORIGIN IP: 185.107.83.35
SIP SERVER IP:200.200.114.207

I’ll start with an example of the offensive SIP packet:

INVITE sip:00*31203697460@200.200.114.207:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 185.107.83.35:5060;branch=z9hG4bK-524287-1---i9aif7pifkudxkd8
Max-Forwards: 70
Contact: <sip:...hi'or...x...='x';@185.107.83.35:5060;transport=UDP>
To: <sip:00*31203697460@200.200.114.207;transport=UDP>
From: <sip:...hi'or...x...='x';@200.200.114.207;transport=UDP>;tag=gj0njz16
Call-ID: LztInRxh5KJSOAGxCOGB0T..
CSeq: 1 INVITE
Content-Type: application/sdp
User-Agent: Avaya one-X Deskphone
Allow-Events: presence, kpml, talk
Content-Length: 515

v=0
o=Avaya 0 0 IN IP4 185.107.83.35
s=Avaya
c=IN IP4 185.107.83.35
t=0 0
m=audio 8000 RTP/AVP 18 3 110 8 0 97 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:97 iLBC/8000
a=rtpmap:3 GSM/8000
a=rtpmap:98 AMR/8000
a=rtpmap:9 G722/8000
a=rtpmap:100 SPEEX/8000
a=rtpmap:99 AMR-WB/16000
a=rtpmap:102 SPEEX/16000
a=rtpmap:121 G7221/16000
a=fmtp:121 bitrate=24000
a=rtpmap:105 opus/48000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv

IP configuration on host:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:11:22:33:44:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.20/24 brd 255.255.255.255 scope global em1
    inet6 aaaa::aaaa:aaaa:aaaa:aaaa/64 scope link
       valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:11:22:33:44:7f brd ff:ff:ff:ff:ff:ff
    inet 200.200.114.207/26 brd 200.200.114.255 scope global em2
    inet6 aaaa::aaaa:aaaa:aaaa:aaaa/64 scope link
       valid_lft forever preferred_lft forever
4: em3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:11:22:33:44:81 brd ff:ff:ff:ff:ff:ff
5: em4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:11:22:33:44:83 brd ff:ff:ff:ff:ff:ff

Here is the output from iptables -v -n --list

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4769K  538M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           /* 000 accept all icmp */
 645M  276G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           /* 001 accept all to lo interface */
  11G 2946G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* 002 accept related established rules */ state RELATED,ESTABLISHED
4036K  238M ACCEPT     tcp  --  em1    *       0.0.0.0/0            0.0.0.0/0           multiport ports 22 /* 101 accept SSH from internal interface */
36907 2036K ACCEPT     all  --  em1    *       192.168.4.0/24       0.0.0.0/0           /* 102 accept all traffic from site 1 LAN */
 160K 6397K ACCEPT     all  --  em1    *       192.168.5.0/24       0.0.0.0/0           /* 103 accept all traffic from site 1 LAN */
8651K  527M ACCEPT     all  --  em1    *       192.168.20.0/24      0.0.0.0/0           /* 105 accept all traffic from site 2 LAN */
    0     0 ACCEPT     tcp  --  em2    *       190.190.89.10        0.0.0.0/0           multiport ports 22 /* 106 accept SSH from WAN */
    0     0 ACCEPT     tcp  --  em1    *       0.0.0.0/0            0.0.0.0/0           multiport ports 2812 /* 107 accept monit from LAN */
41878   19M ACCEPT     udp  --  em2    *       190.190.89.0/26      0.0.0.0/0           multiport ports 5060 /* 150 accept SIP from WAN */
 144K   55M ACCEPT     udp  --  em2    *       200.200.114.192/26   0.0.0.0/0           multiport ports 5060 /* 152 accept SIP from WAN */
    0     0 ACCEPT     udp  --  em2    *       180.180.63.32/27     0.0.0.0/0           multiport ports 5060 /* 201 accept SIP from carrier */
    0     0 ACCEPT     udp  --  em2    *       180.180.63.32/27     0.0.0.0/0           multiport ports 8000:60000 /* 202 accept RTP from carrier */
    0     0 ACCEPT     udp  --  em2    *       170.170.67.2         0.0.0.0/0           multiport ports 5060 /* 210 accept SIP from carrier */
    0     0 ACCEPT     udp  --  em2    *       170.170.67.2         0.0.0.0/0           multiport ports 8000:60000 /* 211 accept RTP from carrier */
  55M 8576M ACCEPT     udp  --  em2    *       0.0.0.0/0            0.0.0.0/0           multiport ports 16384:32768 /* 300 accept all RTP */
 489K  219M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* 999 reject all other requests */ reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* 998 reject all FORWARD */ reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 12G packets, 3230G bytes)
 pkts bytes target     prot opt in     out     source               destination


Get this bounty!!!