understanding temporary allow outbound

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
aww+
Junior Member
Posts: 105
Joined: 27 Aug 2012, 20:53

understanding temporary allow outbound

Post by aww+ »

I realized this week that I may not properly understand the -ta mode of csf

So now we have to punch a hole through the firewall to allow csf upgrades

so at first glance I tried this

/usr/sbin/csf -ta 85.10.199.177 60 -p80 -dout

But nope, that won't work

tried -dinout but nope that is not the problem

So maybe port is not the destination port but the local port and there is no control over the local port used for the outbound connection

/usr/sbin/csf -ta 85.10.199.177 60 -dout

nope that doesn't work either, it needs to be -dinout

So in the end, this is all that works

/usr/sbin/csf -ta 85.10.199.177 60

Do we maybe need to request an option for destination port instead of local port?

And why doesn't just -dout work, why would it need inbound acceptance? It's not ftp, it is http.
Top
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: understanding temporary allow outbound

Post by ForumAdmin »

You have to use spaces after the options, so:

Code: Select all

csf -ta 85.10.199.177 60 -p 80 -d out
Top
aww+
Junior Member
Posts: 105
Joined: 27 Aug 2012, 20:53

Re: understanding temporary allow outbound

Post by aww+ »

ForumAdmin wrote:You have to use spaces after the options, so:

Code: Select all

csf -ta 85.10.199.177 60 -p 80 -d out
bash usually figures out spaceless options on it's own and can tolerate them

But even trying it with spaces fails so it is not that simple.

I am pretty sure it is because 80 is the destination port not the local port and -p means the local port which is chosen at random for outbound.

So there is no actual way to do allows based on destination ports.

But the restriction on outbound also fails in itself for reasons I do not understand, I have to allow inout for it to work.
Top
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: understanding temporary allow outbound

Post by ForumAdmin »

bash usually figures out spaceless options on it's own and can tolerate them
That has nothing to do with bash, it is a perl script interpreting the command line and you may have problems if you try and use spaceless command options, so they should be discouraged.

Currently, csf does not apply outgoing port specific temporary allows/denies correctly. It will always allow access via all outgoing ports regardless of the port specified. This will be corrected in the next release.
Top
aww+
Junior Member
Posts: 105
Joined: 27 Aug 2012, 20:53

Re: understanding temporary allow outbound

Post by aww+ »

Thanks for the quick response.

I upgraded to 7.15 and then tried this again:

csf -ta 85.10.199.177 60 -d out

which strangely still fails to reach download.configserver.com

I have to leave off the -d out for it to work

Am I misunderstanding how the http protocol works, shouldn't only outbound be needed?

For the record, this also still fails for 7.15

csf -ta 85.10.199.177 60 -p 80

and this fails

csf -ta 85.10.199.177 60 -d inout -p 80

So it probably has to do with the random local port vs remote port still.

In any case I can live with just the full open for a minute.
Top
Post Reply

Return to “Report Bugs (csf)”