error sending response: host unreachable

[NoAgendas]

No sites are loading and ALL OF A SUDDEN server stats in whm shows a few services instead of all the monitored (service manager) services (see image)

I've rebooted the box, upcp --force in stable,
attempted to restart named (/scripts/restartsrv_named takes forever, hangs)

I cannot view any sites. I even have to chmod 1777 /tmp after a reboot (every time) or else mysql/exmstats fail.

I tailed /var/log/messages and it was strolling these lines for example:

Aug 17 00:21:11 server named[24214]: zone client1.co.uk/IN: loaded serial 2006040801
Aug 17 00:21:11 server named[24214]: zone client2-net.co.uk/IN: loaded serial 2006040807
Aug 17 00:21:11 server named[24214]: zone client3.co.uk/IN: loaded serial 2006040701
Aug 17 00:21:11 server named[24214]: zone client4.co.uk/IN: loaded serial 2006040803


Aug 17 00:21:24 server named[24214]: client 212.188.4.13#3587: error sending response: host unreachable
Aug 17 00:21:24 server named[24214]: client 212.188.4.13#3587: error sending response: host unreachable
Aug 17 00:21:24 server named[24214]: client 168.95.192.24#32779: error sending response: host unreachable
Aug 17 00:21:24 server named[24214]: client 81.30.144.244#32768: error sending response: host unreachable
Aug 17 00:21:24 server named[24214]: client 202.101.226.68#38212: error sending response: host unreachable




How do I fix this stupid problem?


If I stop apf, bind seems to work (notice, I say "seems")

apf.conf

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,25,53,80,110,143,443,2083,2086,2087,2096,3000_5000,5432,22305"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"


I also have other rf-x modules installed: BFD, SPRI, SIM, LSM, LES, PRM to name a few

stopping / restart named is very slow (while cpu/memory load is minimal). I do not know why.

[NoAgendas]

Cpanel loads EXTREMELY SLOW (while the most minimal cpu/memory usage as well)

I ran this to correct the latest cpsrvd bug reported by many

rm -f /usr/local/cpanel/perl/Net/SSLeay/SSLeay.so
kill `cat /var/run/cpsrvd.pid`
/usr/local/cpanel/cpsrvd
/usr/local/cpanel/etc/init/startstunnel


Notice "cp" running, it stays there on top changing PID's and I did killall -9 cp to see if cpanel would load faster (never seen 'cp' in top before honestly)...that did not help at all. It came back by itself!

Code:

root@server [/tmp]# ps aux | grep cp
root        15  0.0  0.0     0    0 ?        S<   Aug16   0:00 [kacpid]
root      6793  0.0  0.0  1872  528 ?        Ss   Aug16   0:00 /usr/sbin/acpid
root     13350  0.0  0.0  2748  336 ?        SNs  Aug16   0:00 jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed -debug -outfile ../logs/catalina.out -errfile ../logs/catalina.err -verbose org.apache.catalina.startup.Bootstrap -security
tomcat   13351  0.5  1.4 298964 61828 ?      SNl  Aug16   2:20 jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed -debug -outfile ../logs/catalina.out -errfile ../logs/catalina.err -verbose org.apache.catalina.startup.Bootstrap -security
root     11435  0.0  0.2 12728 9584 ?        SNs  01:00   0:00 /usr/bin/perl /scripts/cpbackup
root     17635  0.0  0.0  1484  444 ?        SN   06:11   0:00 /usr/local/cpanel/bin/cpuwatch 10.0 /scripts/pkgacct instanta /backup/cpbackup/daily backup
root     25456  0.0  0.1 12272 6576 pts/1    S    06:18   0:00 cpsrvd - waiting for connections
root     25486  0.0  0.1 11528 7284 pts/1    SN   06:18   0:00 cpanellogd - setting up logs for mdmcam
cpanel   28503  0.0  0.0  6176 2412 ?        Ssl  06:21   0:00 /usr/bin/stunnel-4.15local /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run
root     29417 12.4  0.1  6660 4308 ?        D    06:24   0:40 cp -R aquota.user backup bin boot dev error_log etc home initrd lib lost+found media misc mnt opt proc quota.user root sbin scripts selinux srv sys tmp usr var /usr/local/cpanel/whostmgr/docroot/themes/radiance/icons/
root       380  0.0  0.1 13668 5548 ?        S    06:26   0:00 cppop - accepting on port 110
mdmcam     499  0.0  0.1 11528 6724 pts/1    SN   06:27   0:00 cpanellogd - http logs for mdmcam
root       504  0.0  0.1 13676 5732 ?        S    06:27   0:00 cppop - serving 200.21.159.154 - AUTHORIZATION
root       507  0.0  0.1 13676 5732 ?        S    06:27   0:00 cppop - serving 200.21.159.154 - AUTHORIZATION
empireco   545  0.2  0.1 13688 5924 ?        S    06:27   0:00 cppop - serving 165.146.34.131 - TRANSACTION - marie@domain.co.za
root       605  0.0  0.1 13676 5732 ?        S    06:28   0:00 cppop - serving 200.21.159.154 - AUTHORIZATION
root       606  0.0  0.1 13676 5732 ?        S    06:28   0:00 cppop - serving 200.21.159.154 - AUTHORIZATION
empireco   659  0.0  0.1 13684 5876 ?        S    06:28   0:00 cppop - serving 165.146.34.131 - UPDATE - marlane@domain.co.za

[NoAgendas]

Thank you chirpy you are right. Believe it or not, I just remembered that about 20 minutes ago.

Good call

What about this?

"I cannot view any sites. I even have to chmod 1777 /tmp after a reboot (every time) or else mysql/exmstats fail."

Others have this problem as well, mentioned on this forum

[NoAgendas]

Thank you chirpy you are right. Believe it or not, I just remembered that about 20 minutes ago.

Good call

What about this?

"I cannot view any sites. I even have to chmod 1777 /tmp after a reboot (every time) or else mysql/exmstats fail."

Others have this problem as well, mentioned on this forum

My post showed up beofore yours, weird

[chirpy]

You need to open port 53 in and outbound for both UDP and TCP connections (looks like you're missing port 53 TCP outbound).

It may not be a firewall issue too. Make sure that if you have any restrictions in your named.conf that you allow transfers and recursion from any of your servers IP addresses that could be used (plus any external ones using your server for recursive lookups).

[chirpy]

The only time I've seen problems with /tmp are if:

1. You're using /scripts/securetmp and it's failing to mount the virtual partition in a timely manner or at all. If that's the case you need to stop any services accessing /tmp (httpd, MySQL, etc), umount /tmp and /var/tmp and then chmod 1777 the "real" /tmp directory.

2. If you have backups configured to go to /tmp

[NoAgendas]

Thank you, but after unmounting /tmp and chmodding it 1777, would I run securetmp again?

If not, what method you suggest? Thanks

[NoAgendas]

Chirpy where are you my friend?

[chirpy]

Yes you should run it again to remount the /tmp virtual partition.

[NoAgendas]

If I turn on egress filtering in APF, EGF="1" bind fails to start / restart correctly and shows this error:

"error sending response: host unreachable"

My apf.conf file:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,25,53,80,110,143,443,2083,2086,2087,2096,3000_5000,5432,22305"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

[chirpy]

Mentioned that already

You need to open port 53 in and outbound for both UDP and TCP connections (looks like you're missing port 53 TCP outbound).

[NoAgendas]

Thanks. You mean this one?

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"

Should be

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,53,80,443,43,2089"

? Strange that it is not there by default

[NoAgendas]

By the way, can you please show the best / secured APF configuration that you recommend? I already am aware of disabling 2082/2096 for example

[chirpy]

Thanks. You mean this one?

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"

Should be

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,53,80,443,43,2089"

? Strange that it is not there by default

Yes, that's the one.

[NoAgendas]

Thanks. I think you missed my last question as you responded at the same time.

What recommend APF config would you suggest?

Environment:
cpanel shared web hosting
all services local (mysql, dns, web, etc)