WUI + proxy stopped working

So I was connected via SSH looking at suricata rules when I noticed the wui and webproxystopped responding. I rebooted and later restarted the firewall to no avail.
After restarting I can still ssh into the firewall. Browsing via proxy is not possible, the wui is not reachable. Browsing without proxy works.
Anything I can do?

Edit: So basicly the firewall seems to work, dhcp works, browsing works. Browsing via the proxy does not work.
I’m glad I enabled ssh in the wui before it stopped.
The WUI doesn’t load however and I have no clue what to test or do next.

There are lots of these messages in the log. Don’t know if that as anything to do wit this.
ipfireAppliance suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.elf’ is checked but not set. Checked in 26531 and 39 other sigs

And there are messages like this:
suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can’t have relative keywords around a fast_pattern only content
Mar 17 22:16:40 ipfireAppliance suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download”; flow:to_client,established; content:”-2013.zip|0D 0A|“; fast_pattern:only; content:”-2013.zip|0D 0A|“; http_header; content:”-“; within:1; distance:-14; http_header; file_data; content:”-2013.exe"; content:“-”; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,VirusTotal; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/subscripted-malware-other.rules at line 2943

I cannot find errors that point to not starting WUI or proxy or failures with them.
But then, I dont know exactly what to look for.

try to rebind the ethernet interfaces using setup at the console.

Thanks for the reply.
Just removed the interfaces and assigned them again. Network restarted, got no errors afaik. Didn’t help, still no WUI.

I think it is best if I re"install and restore a backup.
I have a (fairly new) mini appliance. I downloaded the latest stable and “dd-ed” that to a USB-stick. Can I just insert that USB in one of the ports and than restart to trigger a fresh install?
(Got it pre-installed, so never had to do this before).

Yes, that’s the way to go. I wonder what happened. Before doing that, make sure you have the backup. Also make sure the firmware boots from the USB first.

Yes, me too. I am a bit worried about those flowbit messages. Could be a memory problem if I remember well.

I do have a backup. Since I don’t have WUI, I don’t know how to make one if I didn’t have one.
Thanks again.

usually the backup is created automatically at each update of IPFire. You can find it and download it using the console.

Do you know where?

/var/ipfire/backup/

They are .ipf files. You have the main file and the extensions:

[root@ipfire cfusco]# locate *.ipf
/var/ipfire/backup/2023-03-03-13:13.ipf
/var/ipfire/backup/addons/backup/hostapd.ipf
/var/ipfire/backup/addons/backup/igmpproxy.ipf

Keep the same name.The easiest way to get them out is to plug in an external usb key (it should be mounted automatically under /media/usbkey directory ) and copy those file using the cp command. Something like:

cp /var/ipfire/backup/2023-03-03-13\:13.ipf /media/usbkey/

Thanks for your extensive reply!

Will go and try now, and report back of-course.

You can also run the backup commands from the console if you need to. See the wiki.

https://wiki.ipfire.org/configuration/system/backup/backupconsole

If not too late, can you check also /var/log/httpd/error_log and access_log?

Not too late. The firewall is booting now. Will check
The usb-stick doesn’t mount automatic. But doesn’t matter, the files in /var/ipfire/backup are the same I had on my laptop. (I made a backup when the WUI was still working.

When the setup for the new install started I got a very distorted screen, but I managed to make the right choice. Then I got a complaint about a videomode and the process stopped. Later I could choose video mode “0” but got a blank screen as well. I am using a very old laptop for this (x60) and I think I have to try with my other one.

[root@ipfireAppliance httpd]# cat error_log
[Sun Mar 12 00:01:00.964192 2023] [mpm_event:notice] [pid 6702:tid 133193506959552] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sun Mar 12 00:01:00.964436 2023] [core:notice] [pid 6702:tid 133193506959552] AH00094: Command line: '/usr/sbin/httpd'
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.

and than a lot of " Invalid header" lines.
Than

27012; rev:459; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Threatvi: checksum error at /var/ipfire/ids-functions.pl line 550.
Invalid header block at offset unknown at /var/ipfire/ids-functions.pl line 550.

And again " Invalid header" lines.

than:

27012; rev:459; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Threatvi: checksum error at /var/ipfire/ids-functions.pl line 550.
[Fri Mar 17 21:54:53.695434 2023] [mpm_event:notice] [pid 6702:tid 133193506959552] AH00491: caught SIGTERM, shutting down
[Fri Mar 17 21:58:43.710841 2023] [mpm_event:notice] [pid 6750:tid 128086071464128] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Fri Mar 17 21:58:43.712101 2023] [core:notice] [pid 6750:tid 128086071464128] AH00094: Command line: '/usr/sbin/httpd'
given is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 145.
when is experimental at /srv/web/ipfire/cgi-bin/services.cgi line 146.
[Fri Mar 17 22:17:00.760583 2023] [mpm_event:notice] [pid 6738:tid 130057702023360] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Fri Mar 17 22:17:00.762084 2023] [core:notice] [pid 6738:tid 130057702023360] AH00094: Command line: '/usr/sbin/httpd'
[Sat Mar 18 14:31:25.725858 2023] [mpm_event:notice] [pid 6740:tid 132741370392768] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sat Mar 18 14:31:25.727479 2023] [core:notice] [pid 6740:tid 132741370392768] AH00094: Command line: '/usr/sbin/httpd'
[Sat Mar 18 16:01:23.425898 2023] [cgid:error] [pid 6740:tid 132741370392768] AH01239: cgid daemon process died, restarting
[Sat Mar 18 16:01:23.647523 2023] [mpm_event:notice] [pid 6740:tid 132741370392768] AH00491: caught SIGTERM, shutting down
[Sat Mar 18 16:14:04.702288 2023] [mpm_event:notice] [pid 6681:tid 134089352024256] AH00489: Apache/2.4.55 (Unix) OpenSSL/1.1.1t configured -- resuming normal operations
[Sat Mar 18 16:14:04.703976 2023] [core:notice] [pid 6681:tid 134089352024256] AH00094: Command line: '/usr/sbin/httpd'

The access_log seems to stop after the WUI vanished.
Those are the last lines. That was yesterday evening.

192.168.21.1 - admin [17/Mar/2023:22:03:29 +0100] "GET /cgi-bin/speed.cgi HTTP/1.1" 200 133
192.168.21.1 - admin [17/Mar/2023:22:03:31 +0100] "GET /cgi-bin/speed.cgi HTTP/1.1" 200 133
192.168.21.10 - - [17/Mar/2023:22:20:56 +0100] "GET /wpad.dat HTTP/1.1" 200 702 "-" "Mozilla/5.0 (X11; Linux i686; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.22.41 - - [17/Mar/2023:23:47:03 +0100] "GET /wpad.dat HTTP/1.1" 200 702 "-" "Mozilla/5.0 (X11; Linux i686; rv:102.0) Gecko/20100101 Firefox/102.0"

Thanks Adolf, good to know!

Wait, I thought you had a mini appliance from lightning wire lab (basically an apu2 machine)? If that’s the case you need to connect to the machine with a null modem cable and use a serial emulator program. Is this what you are doing?

Yes, that is what I am doing.

I am connecting with
sudo screen /dev/ttyUSB0 115200

Works fine, but the new install gave a distorded screen.

Maybe your problem is related to this bug. However after you boot the linux kernel it should be back to normal.

You need to chose the serial console option though.

Ah, that’s exactly the screen I get.
I did choose to install, will try console options next. Might be a it later this evening, duty calls. Will try to install asap.

The logfiles don’t give much info afaik. They both have a gap in time and seem not to ave logged the event.

Anyway, will try to do a fresh install and report back.
You have been a life-safer so far, thank you very much!

maybe not. I see this line:

[Sat Mar 18 16:01:23.425898 2023] [cgid:error] [pid 6740:tid 132741370392768] AH01239: cgid daemon process died, restarting
[Sat Mar 18 16:01:23.647523 2023] [mpm_event:notice] [pid 6740:tid 132741370392768] AH00491: caught SIGTERM, shutting down

why is Apache chocking up? Maybe that’s why you can’t connect, the demon process dies, for some reason. A corrupted file?