Temporary ban not complete ban.

[Sergio]

Hi,
just to report the following.

When an IP is added to the temporary list CSF.TEMP, the firewall rules created are as follow:

Chain num pkts bytes target prot opt in out source destination

DENYIN 50 0 0 DROP all -- !lo * 123.123.123.123 0.0.0.0/0

PREROUTING 68 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 69 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 21 redir ports 8889


ip6tables:

Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in ip6tables

Temporary Blocks: IP:123.123.123.123 Port: Dir:in TTL:50 (Manually added)

And when an IP is blocked in CSF.DENY, the IP rules created are:

Chain num pkts bytes target prot opt in out source destination

DENYIN 49 0 0 DROP all -- !lo * 123.123.123.123 0.0.0.0/0

DENYOUT 48 0 0 DROP all -- * !lo 0.0.0.0/0 123.123.123.123

PREROUTING 66 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 67 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 21 redir ports 8889


ip6tables:

Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in ip6tables

csf.deny: 123.123.123.123 # do not delete - Mon Mar 24 01:25:12 2014

...Done.

Why TEMP bans are only blocked IN and not OUT?

[ForumAdmin]

That is normal. Blocks in csf.deny will be in/out unless otherwise configured and/or added through csf startup. Temp blocks will be in only if you have LF_SELECT enabled and LF_TRIGGER disabled.

[Sergio]

Thanks for the explanation.

Checking on why when my script uses /usr/sbin/csf -dr $ip, csf some times doesn't deletes the complete IP and I found some IPs on the DENYIN and some in the DENYOUT. very weird up to the point that I have created a cron to let me know when there are discrepancies on both files and that gather me that the temporary bans only created one rule (that is not the error that I am checking, by the way).

Still didn't find why CSF is not deleting both rules.

[Sergio]

update and solved.

Finally, I discovered that CSF needs some time to do multiple csf -dr, so, I added a wait state of 2 seconds between each IP deletion and so far so good.