Adding port rules to csf.allow

[arund]

Hello all,

I tried adding port rules for a specific IP that is present in a BLOCKLIST to access the server. It was added to csf.allow

Code: Select all

tcp|in|d=80|s=xx.xx.xx.xx
tcp|in|d=443|s=xx.xx.xx.xx
tcp|out|s=80|d=xx.xx.xx.xx
tcp|out|s=443|d=xx.xx.xx.xx

After reloading the csf, when I ran a csf grep, it shows as below

Code: Select all

# csf -g xx.xx.xx.xx

Table Chain num pkts bytes target prot opt in out source destination

filter ALLOWIN 1 0 0 ACCEPT tcp -- !lo * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:443
filter ALLOWIN 2 0 0 ACCEPT tcp -- !lo * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:80

filter ALLOWOUT 3 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 xx.xx.xx.xx tcp spt:443
filter ALLOWOUT 4 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 xx.xx.xx.xx tcp spt:80


IPSET: Set:bl_XXXBL Match:xx.xx.xx.xx Setting:XXXBL file:/etc/csf/csf.blocklists

No matter what, the IPs were not able to connect to the server in and out.

When I tried to allow these IPs with temporary access (for eg. csf -ta xx.xx.xx.xx 86400 -p 80), the IPs are able to communicate properly.

I couldn't see much difference in the iptables rules though. Is this some sort of bug?

[gr56rd]

Same problem here.

IP's that are in a csf.blocklist cannot be allowed through in csf.allow. They only work if added to tempallow.

Is this a bug?

How do we get these IP's in csf.allow to work even though they show up in a blocklist?

[gr56rd]

CSF is not honoring ip:port rules when the IP is also in a blocklist.

Its critical that this work because many time legitimate IP's end up on blocklists and can break services.

If an IP is in a blocklist then ip:port rules in csf.allow do not work to permit egress traffic. If just the ip is placed in csf.allow then it works.

How do we create ip:port rules to allow bidirectional communication when initiated outbound while the IP is on a blockist?

[gr56rd]

On my test server I was able to get it to work by adding these rules to csf.allow
tcp|in|s=80,443|s=1.1.1.1
tcp|out|d=80,443|d=1.1.1.1

Why would both be needed if csf is stateful (iptables underneath). If egress connection is initiated to 1.1.1.1: 443 then bidirectional communication should be permitted with just the egress rule.