Monitoring/check ferm

check_ferm is an Icinga check that ensures the ferm service is running.

ferm is a frontend for iptables. If this service fails it should not mean there are no more firewall rules but no changes can be applied until it is fixed.

• Confirm there are still iptables rules loaded: iptables -L
• Check the status of systemd unit: systemctl status ferm
• Try starting the ferm service: systemctl start ferm
• This should show the error.
  • A common one is that a DNS name appears in the config that can't be resolved. Especially happens when IPv4 records exist but IPv6 records are missing. In this case add the missing records.
• Look at the config files in /etc/ferm/conf.d/. If a specific one is causing the issue it's possible to stop puppet, move the file to another backup location and try starting the ferm service again.