Global allow / DYNDNS issues after upgrade
Posted: 10 Sep 2008, 19:01
I first noticed these two issues after an auto-upgrade to 4.02, and they persist in 4.04.
1. Global allow rules not being updated
I have a GLOBAL_ALLOW url specified in my configuration file. Upon CSF/LFD initialization (or manual restart), these rules are applied correctly:
[INDENT]Chain GALLOW (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth+ * 216.239.32.0/19 0.0.0.0/0 tcp dpt:25
2 0 0 ACCEPT tcp -- eth+ * 64.233.160.0/19 0.0.0.0/0 tcp dpt:25
3 0 0 ACCEPT tcp -- eth+ * 66.249.80.0/20 0.0.0.0/0 tcp dpt:25
4 0 0 ACCEPT tcp -- eth+ * 72.14.192.0/18 0.0.0.0/0 tcp dpt:25
5 0 0 ACCEPT tcp -- eth+ * 209.85.128.0/17 0.0.0.0/0 tcp dpt:25
6 0 0 ACCEPT tcp -- eth+ * 66.102.0.0/20 0.0.0.0/0 tcp dpt:25
7 0 0 ACCEPT tcp -- eth+ * 74.125.0.0/16 0.0.0.0/0 tcp dpt:25
8 0 0 ACCEPT tcp -- eth+ * 64.18.0.0/20 0.0.0.0/0 tcp dpt:25
9 0 0 ACCEPT tcp -- eth+ * 207.126.144.0/20 0.0.0.0/0 tcp dpt:25[/INDENT]
However, as soon as the first LF_GLOBAL auto-update interval occurs, the rules are all removed:
[INDENT]Chain GALLOW (2 references)
num pkts bytes target prot opt in out source destination[/INDENT]
When this happens, the LFD log still shows a normal message:
[INDENT]lfd: Global Allow - retrieved and allowing IP address ranges[/INDENT]
2. DYNDNS addresses being denied access in some instances
I have a server IP address listed in csf.sips. In previous versions, access to this IP was still granted to both DYNDNS addresses and source IP addresses specified in csf.allow.
However, in the current version, DYNDNS addresses are now blocked to this destination, while sources in csf.allow are still allowed through.
While this may not be a bug in and of itself, I feel that for the sake of consistency, one of the following should happen when IP addresses are listed in csf.sips:
1. Global allow rules not being updated
I have a GLOBAL_ALLOW url specified in my configuration file. Upon CSF/LFD initialization (or manual restart), these rules are applied correctly:
[INDENT]Chain GALLOW (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth+ * 216.239.32.0/19 0.0.0.0/0 tcp dpt:25
2 0 0 ACCEPT tcp -- eth+ * 64.233.160.0/19 0.0.0.0/0 tcp dpt:25
3 0 0 ACCEPT tcp -- eth+ * 66.249.80.0/20 0.0.0.0/0 tcp dpt:25
4 0 0 ACCEPT tcp -- eth+ * 72.14.192.0/18 0.0.0.0/0 tcp dpt:25
5 0 0 ACCEPT tcp -- eth+ * 209.85.128.0/17 0.0.0.0/0 tcp dpt:25
6 0 0 ACCEPT tcp -- eth+ * 66.102.0.0/20 0.0.0.0/0 tcp dpt:25
7 0 0 ACCEPT tcp -- eth+ * 74.125.0.0/16 0.0.0.0/0 tcp dpt:25
8 0 0 ACCEPT tcp -- eth+ * 64.18.0.0/20 0.0.0.0/0 tcp dpt:25
9 0 0 ACCEPT tcp -- eth+ * 207.126.144.0/20 0.0.0.0/0 tcp dpt:25[/INDENT]
However, as soon as the first LF_GLOBAL auto-update interval occurs, the rules are all removed:
[INDENT]Chain GALLOW (2 references)
num pkts bytes target prot opt in out source destination[/INDENT]
When this happens, the LFD log still shows a normal message:
[INDENT]lfd: Global Allow - retrieved and allowing IP address ranges[/INDENT]
2. DYNDNS addresses being denied access in some instances
I have a server IP address listed in csf.sips. In previous versions, access to this IP was still granted to both DYNDNS addresses and source IP addresses specified in csf.allow.
However, in the current version, DYNDNS addresses are now blocked to this destination, while sources in csf.allow are still allowed through.
While this may not be a bug in and of itself, I feel that for the sake of consistency, one of the following should happen when IP addresses are listed in csf.sips:
- DYNDNS and csf.allow sources should both be allowed through (preferably, as this was the behavior in previous versions), or
- DYNDNS and csf.allow sources should both be blocked