[jira] [Commented] (TS-1235) Deny occurring for IPs not in the ip_allow.config file

David Carlin (JIRA) Fri, 13 Jul 2012 07:27:36 -0700

    [ 
https://issues.apache.org/jira/browse/TS-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13413776#comment-13413776
 ]


David Carlin commented on TS-1235:
----------------------------------

I filed a bug TS-1329 that might be the same issue.  Bryan Call pointed out 
that according to the source code, this error message is from someone trying to 
connect to the management port that is not from 127.0.0.1 - so not sure if its 
ip_allow.config related?

It happens very infrequently for me; I've only seen it twice, we have many 
machines running ATS.

My ip_allow.config:

src_ip=0.0.0.0-255.255.255.255                    action=ip_allow  method=ALL
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow  method=ALL

We then have a custom plugin (our only running plugin) that does quick 
filtering permission on a list of subnets.
                
> Deny occurring for IPs not in the ip_allow.config file
> ------------------------------------------------------
>
>                 Key: TS-1235
>                 URL: https://issues.apache.org/jira/browse/TS-1235
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Security
>    Affects Versions: 3.1.3
>         Environment: Linux server.domain.com 2.6.32-220.el6.x86_64 #1 SMP Wed 
> Dec 7 10:41:06 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Michael Turner
>            Assignee: Alan M. Carroll
>             Fix For: 3.3.2
>
>
> Consistently seeing this morning IPs that are not set to deny in 
> ip_allow.config being rejected.  Here's the config file we were using:
> #
> # ip_allow.config
> #
> # Two types of rules:
> # #src_ip=<range of IP addresses> action=ip_allow
> # #src_ip=<range of IP addresses> action=ip_deny
> # Rules are applied in the order listed starting from the top.
> #
> # Ban all of the XXXX servers
> src_ip=AAA.BBB.CCC.134  action=ip_deny
> #src_ip=AAA.BBB.CCC.135       action=ip_deny # temp unbanning. we've talked 
> to him
> src_ip=AAA.BBB.CCC.137        action=ip_deny
> src_ip=AAA.BBB.CCC.202        action=ip_deny
> src_ip=AAA.BBB.CCC.203        action=ip_deny
> src_ip=AAA.BBB.CCC.208        action=ip_deny
> src_ip=AAA.BBB.CCC.209        action=ip_deny
> src_ip=AAA.BBB.CCC.216        action=ip_deny
> src_ip=AAA.BBB.CCC.217        action=ip_deny
> src_ip=AAA.BBB.CCC.218        action=ip_deny
> src_ip=AAA.BBB.CCC.219        action=ip_deny
> src_ip=AAA.BBB.CCC.220        action=ip_deny
> src_ip=AAA.BBB.CCC.222        action=ip_deny
> src_ip=AAA.BBB.CCC.224        action=ip_deny
> src_ip=AAA.BBB.CCC.236        action=ip_deny
> # Banned IPs
> src_ip=AAA.BBB.CCC.212        action=ip_deny
> src_ip=AAA.BBB.CCC.246        action=ip_deny
> src_ip=AAA.BBB.CCC.144        action=ip_deny
> # Stock Rules
> src_ip=0.0.0.0-255.255.255.255                action=ip_allow
> src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow
> And here's log entries from when this config was active:
> [Apr 30 10:06:21.446] {0x2b321b2d42a0} NOTE: updated diags config
> [Apr 30 10:06:21.449] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.492] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.584] Server {0x2b321b2d42a0} NOTE: logging initialized[15], 
> logging_mode = 3
> [Apr 30 10:06:21.591] Server {0x2b321b2d42a0} NOTE: traffic server running
> [Apr 30 10:06:25.140] Server {0x2b3222d2c700} NOTE: cache enabled
> [Apr 30 10:06:33.804] Server {0x2b3223534700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:01.914] Server {0x2b324b2d2700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:02.025] Server {0x2b324b4d4700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.144, closing
> [Apr 30 10:07:03.109] Server {0x2b3222827700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:04.594] Server {0x2b3222f2e700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:05.201] Server {0x2b3223332700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.170] Server {0x2b3223534700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.575] Server {0x2b3223736700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.690] Server {0x2b3223837700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.785] Server {0x2b3223938700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.817] Server {0x2b3223a39700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.841] Server {0x2b3223b3a700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:10.587] Server {0x2b321b2d42a0} WARNING: connect by disallowed 
> client AAA.BBB.CCC.35, closing
> FATAL: HttpSM.cc:890: failed assert `0`
> The IPS visible in the log ending in .111 and .74 are not in the deny list 
> anywhere.  The two ending in .144 and .35 are in the deny list.
> Please let me know what further information I can provide to help 
> troubleshoot/reproduce this.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (TS-1235) Deny occurring for IPs not in the ip_allow.config file

Reply via email to