ConfigServer Community Forum

Posted: **12 Aug 2010, 19:48**

I understand the need to move away from colons (:) as a separator for denying and allowing rules due to upcoming IPv6. Just wondering why pipe (|) was chosen as the alternative? I believe this was introduced in version 5.04.

Reason being, to add a rule to the csf.deny file via the command line you can use the:

Code: Select all

csf -d "tcp|in|d=80|s=xx.xx.xx.xx" Some Comments

But to remove this rule you have to use:

Code: Select all

csf -dr "tcp\|in\|d=80\|s=xx.xx.xx.xx"

to remove a rule you have to escape the pipe's. I'm not sure if this was intentional or an oversight. Or perhaps I am doing something wrong.

At any rate, with the colon separator you don't even have to enter the rule in quotes

Code: Select all

csf -d tcp:in:d=80:s=xx.xx.xx.xx

I'm just wondering if using a different separator, perhaps "+" or "%" would be better

Code: Select all

csf -d tcp%in%d=80%s=xx.xx.xx.xx

Code: Select all

csf -d tcp+in+d=80+s=xx.xx.xx.xx

Using pipes definitely looks better, I won't argue with that. I just thought from a usability standpoint using a delimiter that does not have to be escaped out might be better.

Perhaps this could be better resolved if the command-line removal did not require the pipe characters to be escaped.

Posted: **12 Aug 2010, 20:01**

Actually, I looked into this some more after I submitted this. It looks like the pipe is messing with the regex matching in the line searching.

This is what I am seeing with csf Version 5.09.

This appears to be correctable by escaping the pipe out before any regex searching is done.

On line 844 of csf.pl add the line:

Code: Select all

$ip =~ s/\|/\\|/g;

I am not sure what other subroutines would need this or if line 844 is an optimal placement for this. I suspect that the doakill subroutine would also need this and anything else that does regex searching.

To duplicate this issue and see what I am talking about, add lines into your csf.deny file:

Code: Select all

tcp:in:d=25:s=192.168.0.13
tcp:in:d=443:s=192.168.0.13
192.168.0.100
192.168.0.200
tcp|in|d=110:s=192.168.0.20

Now add a new deny rule from the command line

Code: Select all

csf -d "tcp|in|d=143|s=192.168.0.26"

And then remove that rule from the command line:

Code: Select all

csf -dr "tcp|in|d=143|s=192.168.0.26"

Because the pipe's are not escaped out, either on the command line or the csf.pl script, they are treated as or statements in the regex matching.

Your csf.deny file will now consist of just:

Code: Select all

192.168.0.100
192.168.0.200

Escaping out the pipe characters either on the command line or in the csf.pl script will insure that the regex matching is exact.

Posted: **17 Aug 2010, 09:48**

I'll look into the issue. In the meantime, if you use single quotes instead of double quotes it should overcome the issue.

Posted: **19 Aug 2010, 17:13**

Even with single quotes you have to escape out the pipe characters.

At least that is with my experience using a bash shell.

ConfigServer Community Forum

IPv6 / pipe delimiter

IPv6 / pipe delimiter

Re: IPv6 / pipe delimiter

Re: IPv6 / pipe delimiter

Re: IPv6 / pipe delimiter