CSF blocking MX with Port Scanning

[dxisto]

I'm running a few cPanel servers, all of them with CSF Firewall.
Since last update (from v7.07 to 7.11), I'm getting a lot of IPs getting blocked and the sample of block hits:

Aug 17 14:49:24 cpanel06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=fe:28:43:7e:23:50:00:14:22:1e:a8:62:08:00 SRC=200.147.36.15 DST=189.50.180.6 LEN=67 TOS=0x00 PREC=0x00 TTL=56 ID=64921 DF PROTO=TCP SPT=25 DPT=35663 WINDOW=114 RES=0x00 ACK PSH URGP=0

All of blocks are from TCP port source 25, ACK PSH and from known MX servers that shouldn't being blocked.

Does anyone noticed this issue? How can I handle it?

Thanks in advance.

[ForumAdmin]

You should first remove port 25 from PS_PORTS so that lfd does not block on that which will stop the blocking.

For example if you have the default of "0:65535,ICMP", change it to "0:24,26:65535,ICMP" then restart lfd.

It's not possible to tell why the TCP packets are failing, it would suggest either an issue with iptables connection tracking interference with the local TCP packets. You could check whether the connection tracking table is full. How to do that depends on your OS, e.g. on CentOS v6:

Code: Select all

sysctl net.netfilter.nf_conntrack_count
sysctl net.netfilter.nf_conntrack_max

[klaas2]

I want to say I had exactly the same issue after the update, but I noticed rather late (today)... so gmail was blocked and many other email providers. I just changed all and deleted the blocked IP's but I'm very afraid gmail blocked my email server now as test are not working well to gmail so far.

[klaas2]

ah, nice it seems all gmail mails now get in my inbox (gmail just needed a hour or so), even mails i send yesterday to my email account show up. I hope the same happends to other emails for other providers (that they still get the mails from yesterday)

Sure this isn't a bug from the updater? I never had problems untill the recent update.

[ForumAdmin]

This should be resolved in the v7.12 just released:
http://blog.configserver.com/

[klaas2]

Do you suggest to change back the "0:24,26:65535,ICMP" to "0:65535,ICMP".

I'll check the sysctl net.netfilter.nf_conntrack_max en sysctl net.netfilter.nf_conntrack_count if you think this might cause the issue. Will report back when I find out how to show them on my old CentOS 5

[klaas2]

-bash-3.2# sysctl net.ipv4.netfilter.ip_conntrack_count
net.ipv4.netfilter.ip_conntrack_count = 212
-bash-3.2# sysctl net.ipv4.netfilter.ip_conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 65536
-bash-3.2#

[ForumAdmin]

Do you suggest to change back the "0:24,26:65535,ICMP" to "0:65535,ICMP"

It doesn't really matter as the new OPEN setting will exclude the port for you now anyway. Thank you for posting the conntrack information which doesn't show an issue there. Hopefully v7.12 will have resolved the issue now anyway.

[dxisto]

It worked!
CSF updated to version 7.12 and everything working now.
Thank you very much.