Monitoring/check ferm

From Wikitech

check_ferm is an Icinga check that ensures the ferm service is running.

ferm is a frontend for iptables. If this service fails it should not mean there are no more firewall rules but no changes can be applied until it is fixed.

Things to do

  • Confirm there are still iptables rules loaded: iptables -L
  • Check the status of systemd unit: systemctl status ferm
  • Try starting the ferm service: systemctl start ferm
  • This should show the error.
    • A common one is that a DNS name appears in the config that can't be resolved. Especially happens when IPv4 records exist but IPv6 records are missing. In this case add the missing records.
  • Look at the config files in /etc/ferm/conf.d/. If a specific one is causing the issue it's possible to stop puppet, move the file to another backup location and try starting the ferm service again.
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Monitoring/check_ferm&oldid=1824419"