ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Temporary ban not complete ban.

https://mail.forum.configserver.com/viewtopic.php?t=7642

Page 1 of 1

Temporary ban not complete ban.

Posted: 24 Mar 2014, 06:28
by Sergio
Hi,
just to report the following.

When an IP is added to the temporary list CSF.TEMP, the firewall rules created are as follow:
Chain num pkts bytes target prot opt in out source destination

DENYIN 50 0 0 DROP all -- !lo * 123.123.123.123 0.0.0.0/0

PREROUTING 68 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 69 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 21 redir ports 8889


ip6tables:

Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in ip6tables

Temporary Blocks: IP:123.123.123.123 Port: Dir:in TTL:50 (Manually added)
And when an IP is blocked in CSF.DENY, the IP rules created are:
Chain num pkts bytes target prot opt in out source destination

DENYIN 49 0 0 DROP all -- !lo * 123.123.123.123 0.0.0.0/0

DENYOUT 48 0 0 DROP all -- * !lo 0.0.0.0/0 123.123.123.123

PREROUTING 66 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 67 0 0 REDIRECT tcp -- !lo * 123.123.123.123 0.0.0.0/0 multiport dports 21 redir ports 8889


ip6tables:

Chain num pkts bytes target prot opt in out source destination
No matches found for 123.123.123.123 in ip6tables

csf.deny: 123.123.123.123 # do not delete - Mon Mar 24 01:25:12 2014

...Done.
Why TEMP bans are only blocked IN and not OUT?

Re: Temporary ban not complete ban.

Posted: 24 Mar 2014, 11:55
by ForumAdmin
That is normal. Blocks in csf.deny will be in/out unless otherwise configured and/or added through csf startup. Temp blocks will be in only if you have LF_SELECT enabled and LF_TRIGGER disabled.

Re: Temporary ban not complete ban.

Posted: 24 Mar 2014, 13:38
by Sergio
Thanks for the explanation.

Checking on why when my script uses /usr/sbin/csf -dr $ip, csf some times doesn't deletes the complete IP and I found some IPs on the DENYIN and some in the DENYOUT. very weird up to the point that I have created a cron to let me know when there are discrepancies on both files and that gather me that the temporary bans only created one rule (that is not the error that I am checking, by the way).

Still didn't find why CSF is not deleting both rules.

Re: Temporary ban not complete ban.

Posted: 26 Mar 2014, 19:23
by Sergio
update and solved.

Finally, I discovered that CSF needs some time to do multiple csf -dr, so, I added a wait state of 2 seconds between each IP deletion and so far so good.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited