Page 1 of 1
csf and advanced filters
Posted: 25 May 2007, 00:52
by deviancelabs
I noticed that filtering based on UID or GID of source packet in "csf.allow" works only if "d=port" is specified.
I think it would be nice to make "s/d=port" setting optional (unless you had a good reason to design it like that)
Relevant code in csf.pl:line 852:
if (($uid or $gid) and $dport) {
should be
if ($uid or $gid) {
Cheers
Posted: 25 May 2007, 16:06
by chirpy
The reason that it was done that way was under the idea that a connection from a source port would indicate an incoming connection, which wouldn't have an associated UID or GID. Is your case that you're trying to trap an outgoing connection with a particular source port? Those are usually going to be pretty rare as most blocks are usually done with a destination port in mind.
Posted: 25 May 2007, 18:29
by deviancelabs
I see your point here but in my opinion, enforcing a thing like this in your script defeats the whole purpose of "advanced filtering" and kind of gets away from the idea of flexibility that csf is so popular for.
Even if the cases where a filtering is done based on source port and/or UID/GID only are rare, I'd say is worth having this option there and let the user choose their setup.
And to mention only a couple of these cases that I've been faced with and that csf kind of got in the way and caused problems are:
1. a squid/proxy installation needs to be allowed to make outgoing connections based on UID only as it is impossible to say which source or destination port it uses.
2. a text/ncurses bittorrent client like rtorrent needs to be allowed to make outgoing connections based on source port and UID/GID as again, destination ports would be impossible to specify.
Hope this is reason enough for you to implement the functionality I mentioned in my previous post
Thanks!
Posted: 29 May 2007, 16:35
by chirpy
I've removed the restriction in v2.72
Posted: 29 May 2007, 16:39
by deviancelabs
So I noticed
Thanks and keep up the good work!