ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

understanding temporary allow outbound

https://mail.forum.configserver.com/viewtopic.php?t=8065

Page 1 of 1

understanding temporary allow outbound

Posted: 24 Aug 2014, 12:54
by aww+
I realized this week that I may not properly understand the -ta mode of csf

So now we have to punch a hole through the firewall to allow csf upgrades

so at first glance I tried this

/usr/sbin/csf -ta 85.10.199.177 60 -p80 -dout

But nope, that won't work

tried -dinout but nope that is not the problem

So maybe port is not the destination port but the local port and there is no control over the local port used for the outbound connection

/usr/sbin/csf -ta 85.10.199.177 60 -dout

nope that doesn't work either, it needs to be -dinout

So in the end, this is all that works

/usr/sbin/csf -ta 85.10.199.177 60

Do we maybe need to request an option for destination port instead of local port?

And why doesn't just -dout work, why would it need inbound acceptance? It's not ftp, it is http.

Re: understanding temporary allow outbound

Posted: 24 Aug 2014, 17:57
by ForumAdmin
You have to use spaces after the options, so:

Code: Select all

csf -ta 85.10.199.177 60 -p 80 -d out

Re: understanding temporary allow outbound

Posted: 24 Aug 2014, 21:57
by aww+
ForumAdmin wrote:You have to use spaces after the options, so:

Code: Select all

csf -ta 85.10.199.177 60 -p 80 -d out
bash usually figures out spaceless options on it's own and can tolerate them

But even trying it with spaces fails so it is not that simple.

I am pretty sure it is because 80 is the destination port not the local port and -p means the local port which is chosen at random for outbound.

So there is no actual way to do allows based on destination ports.

But the restriction on outbound also fails in itself for reasons I do not understand, I have to allow inout for it to work.

Re: understanding temporary allow outbound

Posted: 25 Aug 2014, 10:26
by ForumAdmin
bash usually figures out spaceless options on it's own and can tolerate them
That has nothing to do with bash, it is a perl script interpreting the command line and you may have problems if you try and use spaceless command options, so they should be discouraged.

Currently, csf does not apply outgoing port specific temporary allows/denies correctly. It will always allow access via all outgoing ports regardless of the port specified. This will be corrected in the next release.

Re: understanding temporary allow outbound

Posted: 25 Aug 2014, 12:21
by aww+
Thanks for the quick response.

I upgraded to 7.15 and then tried this again:

csf -ta 85.10.199.177 60 -d out

which strangely still fails to reach download.configserver.com

I have to leave off the -d out for it to work

Am I misunderstanding how the http protocol works, shouldn't only outbound be needed?

For the record, this also still fails for 7.15

csf -ta 85.10.199.177 60 -p 80

and this fails

csf -ta 85.10.199.177 60 -d inout -p 80

So it probably has to do with the random local port vs remote port still.

In any case I can live with just the full open for a minute.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited