Global allow rules partially applied on CentOS 7 servers

[bobbytables]

I have noticed that my global allow rules are applying correctly to all CentOS 6 servers, but on CentOS 7 servers global allow rules are being applied partially.

By partially, I mean that /var/lib/csf/csf.gallow contains only between 30% or 60% of rules (rules are chopped off at random lines on each affected server) and in /var/log/lfd.log I regularly see "iptables appears to have been flushed - running *csf startup*..." message:

Code: Select all

Nov 29 13:01:00 server-3 lfd[705311]: Global Allow - retrieved and allowing IP address ranges
Nov 29 13:01:20 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...
Nov 29 13:01:20 server-3 lfd[705311]: csf is currently restarting - command [/sbin/iptables  -A NEWGALLOWIN -i eno+ -p tcp  -s XXX.XXX.XXX.XXX/23 --dport 21  -j ACCEPT] skipped on line 6965

iptables rule mentioned in the logs is different on each server and each time automatic rules update occurs. The only thing that's the same across all affected servers is the last part of the message "...skipped on line 6965"

LF_GLOBAL is set to 3600 and the mentioned problem appears at random times on random CentOS 7 servers. The problem keeps repeating almost every time global rules are automatically updated:

Code: Select all

root@server-3 [~]# grep -i flushed /var/log/lfd.log
Nov 27 04:00:26 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 06:00:41 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 07:00:53 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 08:01:06 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 10:01:22 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 11:01:34 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 12:01:47 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 14:02:00 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 15:02:12 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 16:02:24 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 19:02:39 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 20:02:51 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 22:03:03 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 27 23:03:16 server-3 lfd[865786]: iptables appears to have been flushed - running *csf startup*...
Nov 28 04:00:25 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 06:00:38 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 09:00:52 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 10:01:05 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 11:01:21 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 12:01:33 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 14:01:47 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 15:01:59 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 16:02:13 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 18:02:26 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 20:02:41 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 21:02:53 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 28 23:03:05 server-3 lfd[730386]: iptables appears to have been flushed - running *csf startup*...
Nov 29 04:00:25 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...
Nov 29 05:00:37 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...
Nov 29 08:00:50 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...
Nov 29 11:01:05 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...
Nov 29 13:01:20 server-3 lfd[357879]: iptables appears to have been flushed - running *csf startup*...

At the moment, I'm able to temporary resolve the problem by restarting LFD service, but the problem keeps coming back after an random number of hours.

I have ruled out the web server that serves global allow rules as a culprit because:
1. not a single CentOS 6 server is affected, only Centos 7 servers are
2. in the access logs I can clearly see that affected servers have downloaded complete file with global allow rules (response code was "200 OK" and transfered bytes are correct)

[ForumAdmin]

The logs are not indicative of a problem with Global Allow. They show that something external to csf is flushing iptables forcing csf to restart. While csf is restarting lfd stops doing whatever it was up to and waits until it has started before continuing. You need to find out what is flushing iptables on a regular (hourly?) basis.