ConfigServer Community Forum

In csf v14.09 when I have permanent deny rules in /etc/csf/csf.deny like the following:

tcp|in|d=1_65535|s=64.62.128.0/17 # do not delete
tcp|in|d=1_65535|s=64.71.32.0/19 # do not delete
tcp|in|d=1_65535|s=64.71.128.0/18 # do not delete
tcp|in|d=1_65535|s=64.90.32.0/19 # do not delete
tcp|in|d=1_65535|s=64.91.224.0/19 # do not delete
tcp|in|d=1_65535|s=64.225.0.0/17 # do not delete
tcp|in|d=1_65535|s=64.227.0.0/17 # do not delete
tcp|in|d=1_65535|s=64.235.32.0/19 # do not delete

And csf+lfd is restarted, it adds an iptables DENYIN rule for 64.0.0.0/2. I have to manually delete this rule as it blocks all inbound traffic between 64.0.0.0 and 127.255.255.255.

I currently have 1700 permanent IP bans in /etc/csf/csf.deny due to the volume and source of inbound port scans and web application attacks. I don't want to block outbound traffic to these IPs as they could potentially host legitimate sites and it easier to block the whole subnet of the offending IPs.

Is this a bug and/or is there a better way to do inbound only blocks for all traffic?

If I change the rules to:

tcp|in|d=1_32768|s=64.62.128.0/17 # do not delete
tcp|in|d=1_32768|s=64.71.32.0/19 # do not delete
tcp|in|d=1_32768|s=64.71.128.0/18 # do not delete
tcp|in|d=1_32768|s=64.90.32.0/19 # do not delete
tcp|in|d=1_32768|s=64.91.224.0/19 # do not delete
tcp|in|d=1_32768|s=64.225.0.0/17 # do not delete
tcp|in|d=1_32768|s=64.227.0.0/17 # do not delete
tcp|in|d=1_32768|s=64.235.32.0/19 # do not delete

It doesn't add the DENYIN rule for 64.0.0.0/2.

However I need to block all inbound ports on these blocked IPs as I'm seeing attacks on higher ports like 50083 or 50003.