Since all traffic destined for its IP does get to the server, it's nice to be able to run CSF/LFD's port scan detection on it.
However, since it's on the LAN, it also receives UDP broadcast packets for a whole bunch of local sharing services, and people running those applications, who are meant to be able to access the server locally, end up blocked.
I made some modifications to regex.pm (on my system, /usr/local/csf/bin/regex.pm) which allow you to put PS_IGNORE_UDP_BROADCAST = "192.168.1.255" in csf.conf (of course, should be replaced by the LAN broadcast address for any particular site) and then UDP packets to that address, and to the global broadcaset address 255.255.255.255 will be ignored for port scan detection.
It would be great if this (or a similar change) could be incorporated into CSF/LFD.
If not (and perhaps even if so), is there a way I can make this change of mine persist through CSF upgrades? At the moment, when CSF upgrades, of course, regex.pm is removed, but I couldn't think of a way to incorporate these changes through regex.custom.pm (maybe because I don't really know Perl). Also I guess part of the upgrade script rewrites the configuration file and removes the PS_IGNORE_UDP_BROADCAST option, too, which would need to be avoided somehow.
Here is my change:
Code: Select all
--- /usr/local/csf/bin/regex.pm~ 2014-11-26 09:52:01.585117465 +1100
+++ /usr/local/csf/bin/regex.pm 2014-11-26 09:52:06.849117285 +1100
@@ -460,8 +460,8 @@
if ($line !~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall:/) {return}
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall: \*INVALID\*/ and $config{PS_PORTS} !~ /INVALID/) {return}
- if ($line =~ /IN=\S+.*SRC=(\S+).*PROTO=(\w+).*DPT=(\d+)/) {
- $ip = $1; $proto = $2; $port = $3; $ip =~ s/^::ffff://;
+ if ($line =~ /IN=\S+.*SRC=(\S+).*DST=(\S+).*PROTO=(\w+).*DPT=(\d+)/) {
+ $ip = $1; $dst = $2; $proto = $3; $port = $4; $ip =~ s/^::ffff://;
if ($config{PS_PORTS} !~ /OPEN/) {
my $hit = 0;
if ($proto eq "TCP" and $line =~ /kernel: Firewall: \*TCP_IN Blocked\*/) {
@@ -479,6 +479,10 @@
}
}
elsif ($proto eq "UDP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*UDP_IN Blocked\*/) {
+ if ($config{PS_IGNORE_UDP_BROADCAST} and ($dst == "255.255.255.255" or $dst == $config{PS_IGNORE_UDP_BROADCAST})) {
+ if ($config{DEBUG} >= 1) {&logfile("debug: *Port Scan* ignored UDP_IN broadcast: $ip:$port")}
+ return;
+ }
foreach my $ports (split(/\,/,$config{UDP_IN})) {
if ($ports =~ /\:/) {
my ($start,$end) = split(/\:/,$ports);