Page 1 of 1
csf bogon bug
Posted: 15 Jan 2009, 18:18
by marcele
With bogons enabled (LF_BOGON) it blocks interfaces even if they are in the interface "skip" list (using ETH_DEVICE_SKIP). So with it enabled it blocks connecting to internal IP's on eth1 even if eth1 shouldn't have rules applied to it.
Using csf version 4.36 on centos 5
Posted: 15 Jan 2009, 20:51
by Buccleuch
Sorry, but it's not a bug per se...
From the config file:
Code: Select all
# Do NOT use this option if your server uses IP's on the bogon list (e.g. this
# is often the case with servers behind a NAT firewall using ip routing)
The only way bogons work along with using something like a 10.0.0.0/8 private network is if you place your public interface in ETH_DEVICE and place your private interface in ETH_DEVICE_SKIP.
This will cause csf to order the rules such that any traffic destined to the ETH_DEVICE_SKIP takes precedence over the bogon detection.
If ETH_DEVICE is blank, bogon detection will take precedence over ETH_DEVICE_SKIP.
At least that's how it worked in my limited experience, been testing and playing with CSF/LFD since only last night.
Posted: 17 Jan 2009, 16:04
by chirpy
Buccleuch is correct, however I will look into the placement of the ETH_DEVICE_SKIP rules placement in the chains.
Thanks for the info
Posted: 19 Jan 2009, 18:12
by marcele
Thanks for the info guys. I wasn't aware that you had to explicitly add the device to ETH_DEVICE... I always had it blank and just added my internal eth1 device to ETH_DEVICE_SKIP. This was always working in the past. I just had this issue after updating csf .. something must have changed.