ACCEPT rule created on OUTPUT Chain

[tdousset]

Hi,

Bit of an odd one. It seems that CSF is creating an ACCEPT rule at the bottom of the OUTPUT chain.

# csf -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain acctboth (0 references)
target prot opt source destination

As you can see - clean slate.

/etc/sysconfig/iptables does not exist - so there are no rules stashed in there...

# csf -e

# iptables -nL OUTPUT | tail
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:873
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33523
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

The last two rules:
-A OUTPUT ! -o lo -j ACCEPT
-A OUTPUT ! -o lo -j DROP

This seems to permit everything outbound.

Is this a bug or some config that I've missed? Please advise.

Cheers,
Tim.

[ForumAdmin]

What is LF_SPI set to in /etc/csf/csf.conf?

[tdousset]

Hi,

I don't have the LF_SPI key in the current config...

[tdousset]

root@host [~]# csf --version
csf: v7.68 (cPanel)

I suppose it's possible that we've carried an old configuration through several version upgrades. So LF_SPI was new in 7.66 by the looks of it.

[ForumAdmin]

Using old configurations is not a good idea. If you do that, you should always run the following afterwards:

csf -uf

Which will update anything that is missing.

[tdousset]

Hi,

Thanks for the info - it looks like rebuilding the config with csf -uf and then restarting csf has rectified the issue.

I have not narrowed exactly which config key is responsible yet though.

Thanks.