Port Ranges in csf.allow not working after (auto) upgrade to v4.02
Posted: 09 Sep 2008, 19:01
Hello,
I am experiencing an issue with v4.02 after an intended automatic upgrade early this morning; it seems that our custom port range specified for TeamSpeak voice service over UDP is being blocked for inbound and outbound traffic.
Here are two of many syslog entries indicating the blocks (munged):
Here are the rules that were working in v3.43 and now appear to no longer work in v4.02 (also munged, but matches the above log entries):
I want to note that it appears the single-port rules seem to work great and without issue, but the port-ranges specified are no longer working as they once were.
My only resolution within CSF v4.02 thus far is to add the port range to the server-wide UDP allow lists (UDP_IN & UDP_OUT); this is the only method I found to make it work, but at a great disadvantage to security.
Please let me know if you need any additional debugging information or a ticket lodged to help troubleshoot.
I am experiencing an issue with v4.02 after an intended automatic upgrade early this morning; it seems that our custom port range specified for TeamSpeak voice service over UDP is being blocked for inbound and outbound traffic.
Here are two of many syslog entries indicating the blocks (munged):
Code: Select all
Sep 9 12:38:30 servername kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:2c:90:ff:00:1e:13:ca:4a:bf:08:00 SRC=70.171.6.X DST=1.2.3.4 LEN=208 TOS=0x00 PREC=0x00 TTL=121 ID=3609 PR
OTO=UDP SPT=58297 DPT=8714 LEN=188
Sep 9 12:49:19 servername kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth1 SRC=1.2.3.4 DST=62.146.63.X LEN=431 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=8714 DPT=45647 LEN=411Code: Select all
udp:in:d=8701_8799:d=1.2.3.4
udp:out:s=8701_8799:s=1.2.3.4My only resolution within CSF v4.02 thus far is to add the port range to the server-wide UDP allow lists (UDP_IN & UDP_OUT); this is the only method I found to make it work, but at a great disadvantage to security.
Please let me know if you need any additional debugging information or a ticket lodged to help troubleshoot.