Does this error indicate a Zone file error? If so, what is the best way to correct it?
*ERROR* line:[2703]
Command:[/sbin/iptables --wait -v -A CC_ALLOWP -s 104.171.32.0/ -j CC_ALLOWPORTS]
Error:[iptables v1.4.21: invalid mask `' specified]
This network is found in /var/lib/csf/Geo/ip2asn-combined.tsv & /var/lib/csf/zone/us.zone
Zone file error
Re: Zone file error
We had the same problem due to corrupted / invalid de.zone file (had x.x.x.x/ without number after slash at the end).
I only noticed, because suddenly a port was blocked.
To fix it I did the following:
1. (optional and only if you have a VALID MaxMind Key set in csf.conf) Edit /etc/csf/csf.conf and change CC_SRC to "1" (I did this, because I am not sure I still trust the other sources.)
2. Edit /etc/csf/csf.conf and change FASTSTART to "0"
3. Remove zone files: rm /var/lib/csf/zone/*.zone*
4. Force update csf to restore correct zone files: csf -uf
5. Restart csf: csf -r
6. Edit /etc/csf/csf.conf and change FASTSTART to "1"
7. Restart service from systemctl: systemctl restart csf
8. Check status is not failed: systemctl status csf
I only noticed, because suddenly a port was blocked.
To fix it I did the following:
1. (optional and only if you have a VALID MaxMind Key set in csf.conf) Edit /etc/csf/csf.conf and change CC_SRC to "1" (I did this, because I am not sure I still trust the other sources.)
2. Edit /etc/csf/csf.conf and change FASTSTART to "0"
3. Remove zone files: rm /var/lib/csf/zone/*.zone*
4. Force update csf to restore correct zone files: csf -uf
5. Restart csf: csf -r
6. Edit /etc/csf/csf.conf and change FASTSTART to "1"
7. Restart service from systemctl: systemctl restart csf
8. Check status is not failed: systemctl status csf
Re: Zone file error
Another way to fix this could be to edit the entry at:
/var/lib/csf/zone/us.zone
from this 104.171.32.0/ to 104.171.32.0/20
/var/lib/csf/zone/us.zone
from this 104.171.32.0/ to 104.171.32.0/20
Re: Zone file error
It looks that from time to time the zone file update fails, resulting in an incomplete file.
This is strange enough in itself - the download should be clever enough to know if the zone file is incomplete/corrupt.
You may fix it by editing the entry, however you'll still miss the rest of the file.
We wrote a small monitoring script to check:
- if the current zone file size is smaller than a baseline amount we've recorded (allowing a -10% window)
- if the rows in all zone files are matching the required format
In case of issues we receive email alerts.
This is strange enough in itself - the download should be clever enough to know if the zone file is incomplete/corrupt.
You may fix it by editing the entry, however you'll still miss the rest of the file.
We wrote a small monitoring script to check:
- if the current zone file size is smaller than a baseline amount we've recorded (allowing a -10% window)
- if the rows in all zone files are matching the required format
In case of issues we receive email alerts.