csf bogon bug

marcele · Post by **marcele** » 15 Jan 2009, 18:18

With bogons enabled (LF_BOGON) it blocks interfaces even if they are in the interface "skip" list (using ETH_DEVICE_SKIP). So with it enabled it blocks connecting to internal IP's on eth1 even if eth1 shouldn't have rules applied to it.

Using csf version 4.36 on centos 5

Buccleuch · Post by **Buccleuch** » 15 Jan 2009, 20:51

Sorry, but it's not a bug per se...

From the config file:

Code: Select all

# Do NOT use this option if your server uses IP's on the bogon list (e.g. this
# is often the case with servers behind a NAT firewall using ip routing)

The only way bogons work along with using something like a 10.0.0.0/8 private network is if you place your public interface in ETH_DEVICE and place your private interface in ETH_DEVICE_SKIP.

This will cause csf to order the rules such that any traffic destined to the ETH_DEVICE_SKIP takes precedence over the bogon detection.

If ETH_DEVICE is blank, bogon detection will take precedence over ETH_DEVICE_SKIP.

At least that's how it worked in my limited experience, been testing and playing with CSF/LFD since only last night.

Post by **chirpy** » 17 Jan 2009, 16:04

Buccleuch is correct, however I will look into the placement of the ETH_DEVICE_SKIP rules placement in the chains.

marcele · Post by **marcele** » 19 Jan 2009, 18:12

Thanks for the info guys. I wasn't aware that you had to explicitly add the device to ETH_DEVICE... I always had it blank and just added my internal eth1 device to ETH_DEVICE_SKIP. This was always working in the past. I just had this issue after updating csf .. something must have changed.