Hi,
just have a question if it is possible to CC_ALLOW_FILTER on specific port like allowing destination port 20/21 only to CA/US
so all other countries can still access to web pages etc... but stop attacking FTP access.
Thanks.
CC_ALLOW_FILTER on specific port
Re: CC_ALLOW_FILTER on specific port
this was added in the last release 5.74 and im greatfull for this... thanks a lot.
but the way CSF manage iptables rules make it very very unstable.
need to build an optimized rules tree base on the netmask blocked /8 /16/20 /22 /24 /26 etc
and think about managing from iptables-save and iptables-restore
this kind of config is very secure but with it iptables have to manage
more then 80k rules....
i know that it it possible to run even more rules then that with iptables but it need some help...
i will search and post more hit about that later on.
but the way CSF manage iptables rules make it very very unstable.
need to build an optimized rules tree base on the netmask blocked /8 /16/20 /22 /24 /26 etc
and think about managing from iptables-save and iptables-restore
this kind of config is very secure but with it iptables have to manage
more then 80k rules....
i know that it it possible to run even more rules then that with iptables but it need some help...
i will search and post more hit about that later on.
Re: CC_ALLOW_FILTER on specific port
so.. more uptades...
solutions i found to do this well is to use ipset and xtables-addons
both can be found on netfilter.org and have some very interesting features.
im not usual to perl or i would code a patch myself.
http://netfilter.org/projects/ipset/index.html
http://netfilter.org/projects/xtables-addons/index.html
http://xtables-addons.sourceforge.net/modules.php
thanks.
solutions i found to do this well is to use ipset and xtables-addons
both can be found on netfilter.org and have some very interesting features.
im not usual to perl or i would code a patch myself.
http://netfilter.org/projects/ipset/index.html
http://netfilter.org/projects/xtables-addons/index.html
http://xtables-addons.sourceforge.net/modules.php
thanks.
Re: CC_ALLOW_FILTER on specific port
still having trouble with CC_ALLOW_FILTER option
seams like filtering port doesn't work correctly if you do it out of both INPUT and OUTPUT chain.
csf add reference to CC_ALLOWP in LOCALINPUT and then
CC_ALLOWP hold rules that point to CC_ALLOWPLIST which hold port filtering rules depending on the CC lookup.
but this doesn't work for me.
anyone else can confirm ?
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp dpt:53
2 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp dpt:53
3 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp spt:53
4 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp spt:53
5 LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
13 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1311
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2222
23 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
24 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
25 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
26 LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:53
2 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:53
3 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp spt:53
4 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp spt:53
5 LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
12 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
19 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
21 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
23 LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain ALLOWIN (1 references)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.101 0.0.0.0/0
Chain ALLOWOUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.0.101
Chain CC_ALLOWP (1 references)
num target prot opt source destination
1 CC_ALLOWPLIST all -- 217.195.16.0/20 0.0.0.0/0
2 CC_ALLOWPLIST all -- 217.194.80.0/20 0.0.0.0/0
3 CC_ALLOWPLIST all -- 217.175.190.0/23 0.0.0.0/0
4 CC_ALLOWPLIST all -- 217.175.188.0/24 0.0.0.0/0
5 CC_ALLOWPLIST all -- 217.175.184.0/22 0.0.0.0/0
6 CC_ALLOWPLIST all -- 217.175.180.0/23 0.0.0.0/0
7 CC_ALLOWPLIST all -- 217.175.178.0/24 0.0.0.0/0
8 CC_ALLOWPLIST all -- 217.175.176.0/24 0.0.0.0/0
9 CC_ALLOWPLIST all -- 217.175.175.0/24 0.0.0.0/0
10 CC_ALLOWPLIST all -- 217.175.173.0/24 0.0.0.0/0
11 CC_ALLOWPLIST all -- 217.175.168.0/22 0.0.0.0/0
12 CC_ALLOWPLIST all -- 217.175.164.0/22 0.0.0.0/0
13 CC_ALLOWPLIST all -- 217.175.162.0/23 0.0.0.0/0
14 CC_ALLOWPLIST all -- 217.175.161.0/24 0.0.0.0/0
15 CC_ALLOWPLIST all -- 217.174.192.0/19 0.0.0.0/0
...
Chain CC_ALLOWPLIST (4024 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
Chain DENYIN (1 references)
num target prot opt source destination
Chain DENYOUT (1 references)
num target prot opt source destination
Chain DSHIELD (1 references)
num target prot opt source destination
1 DROP all -- 50.57.69.0/24 0.0.0.0/0
...
20 DROP all -- 151.25.229.0/24 0.0.0.0/0
Chain INVALID (2 references)
num target prot opt source destination
1 INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
...
10 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
Chain INVDROP (10 references)
num target prot opt source destination
...
11 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOCALINPUT (1 references)
num target prot opt source destination
1 ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0
2 DENYIN all -- 0.0.0.0/0 0.0.0.0/0
3 DSHIELD all -- 0.0.0.0/0 0.0.0.0/0
4 SPAMHAUS all -- 0.0.0.0/0 0.0.0.0/0
5 CC_ALLOWP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOCALOUTPUT (1 references)
num target prot opt source destination
1 ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0
2 DENYOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
num target prot opt source destination
...
20 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
num target prot opt source destination
...
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SPAMHAUS (1 references)
num target prot opt source destination
1 DROP all -- 204.8.87.0/24 0.0.0.0/0
2 DROP all -- 195.88.230.0/23 0.0.0.0/0
3 DROP all -- 194.135.54.0/24 0.0.0.0/0
4 DROP all -- 188.247.232.0/24 0.0.0.0/0
5 DROP all -- 188.229.19.0/24 0.0.0.0/0
6 DROP all -- 162.97.244.0/22 0.0.0.0/0
7 DROP all -- 146.185.255.0/24 0.0.0.0/0
8 DROP all -- 95.64.42.0/24 0.0.0.0/0
...
seams like filtering port doesn't work correctly if you do it out of both INPUT and OUTPUT chain.
csf add reference to CC_ALLOWP in LOCALINPUT and then
CC_ALLOWP hold rules that point to CC_ALLOWPLIST which hold port filtering rules depending on the CC lookup.
but this doesn't work for me.
anyone else can confirm ?
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp dpt:53
2 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp dpt:53
3 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp spt:53
4 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp spt:53
5 LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
13 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1311
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2222
23 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
24 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
25 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
26 LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:53
2 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:53
3 ACCEPT tcp -- 0.0.0.0/0 192.168.0.1 tcp spt:53
4 ACCEPT udp -- 0.0.0.0/0 192.168.0.1 udp spt:53
5 LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
11 INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
12 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
19 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
21 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
23 LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain ALLOWIN (1 references)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.101 0.0.0.0/0
Chain ALLOWOUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.0.101
Chain CC_ALLOWP (1 references)
num target prot opt source destination
1 CC_ALLOWPLIST all -- 217.195.16.0/20 0.0.0.0/0
2 CC_ALLOWPLIST all -- 217.194.80.0/20 0.0.0.0/0
3 CC_ALLOWPLIST all -- 217.175.190.0/23 0.0.0.0/0
4 CC_ALLOWPLIST all -- 217.175.188.0/24 0.0.0.0/0
5 CC_ALLOWPLIST all -- 217.175.184.0/22 0.0.0.0/0
6 CC_ALLOWPLIST all -- 217.175.180.0/23 0.0.0.0/0
7 CC_ALLOWPLIST all -- 217.175.178.0/24 0.0.0.0/0
8 CC_ALLOWPLIST all -- 217.175.176.0/24 0.0.0.0/0
9 CC_ALLOWPLIST all -- 217.175.175.0/24 0.0.0.0/0
10 CC_ALLOWPLIST all -- 217.175.173.0/24 0.0.0.0/0
11 CC_ALLOWPLIST all -- 217.175.168.0/22 0.0.0.0/0
12 CC_ALLOWPLIST all -- 217.175.164.0/22 0.0.0.0/0
13 CC_ALLOWPLIST all -- 217.175.162.0/23 0.0.0.0/0
14 CC_ALLOWPLIST all -- 217.175.161.0/24 0.0.0.0/0
15 CC_ALLOWPLIST all -- 217.174.192.0/19 0.0.0.0/0
...
Chain CC_ALLOWPLIST (4024 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
Chain DENYIN (1 references)
num target prot opt source destination
Chain DENYOUT (1 references)
num target prot opt source destination
Chain DSHIELD (1 references)
num target prot opt source destination
1 DROP all -- 50.57.69.0/24 0.0.0.0/0
...
20 DROP all -- 151.25.229.0/24 0.0.0.0/0
Chain INVALID (2 references)
num target prot opt source destination
1 INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
...
10 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
Chain INVDROP (10 references)
num target prot opt source destination
...
11 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOCALINPUT (1 references)
num target prot opt source destination
1 ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0
2 DENYIN all -- 0.0.0.0/0 0.0.0.0/0
3 DSHIELD all -- 0.0.0.0/0 0.0.0.0/0
4 SPAMHAUS all -- 0.0.0.0/0 0.0.0.0/0
5 CC_ALLOWP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOCALOUTPUT (1 references)
num target prot opt source destination
1 ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0
2 DENYOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
num target prot opt source destination
...
20 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
num target prot opt source destination
...
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SPAMHAUS (1 references)
num target prot opt source destination
1 DROP all -- 204.8.87.0/24 0.0.0.0/0
2 DROP all -- 195.88.230.0/23 0.0.0.0/0
3 DROP all -- 194.135.54.0/24 0.0.0.0/0
4 DROP all -- 188.247.232.0/24 0.0.0.0/0
5 DROP all -- 188.229.19.0/24 0.0.0.0/0
6 DROP all -- 162.97.244.0/22 0.0.0.0/0
7 DROP all -- 146.185.255.0/24 0.0.0.0/0
8 DROP all -- 95.64.42.0/24 0.0.0.0/0
...