Page 1 of 1

Allow UDP broadcasts to be ignored

Posted: 20 Jan 2016, 23:59
by isfs
We are a small company, and the way our IT company have organised our network, our in-house administered web server is on the LAN but accessible through our NAT via a virtual server firewall rule that is not port-specific. It may not be the best configuration, but it works for us.

Since all traffic destined for its IP does get to the server, it's nice to be able to run CSF/LFD's port scan detection on it.

However, since it's on the LAN, it also receives UDP broadcast packets for a whole bunch of local sharing services, and people running those applications, who are meant to be able to access the server locally, end up blocked.

I made some modifications to regex.pm (on my system, /usr/local/csf/bin/regex.pm) which allow you to put PS_IGNORE_UDP_BROADCAST = "192.168.1.255" in csf.conf (of course, should be replaced by the LAN broadcast address for any particular site) and then UDP packets to that address, and to the global broadcaset address 255.255.255.255 will be ignored for port scan detection.

It would be great if this (or a similar change) could be incorporated into CSF/LFD.

If not (and perhaps even if so), is there a way I can make this change of mine persist through CSF upgrades? At the moment, when CSF upgrades, of course, regex.pm is removed, but I couldn't think of a way to incorporate these changes through regex.custom.pm (maybe because I don't really know Perl). Also I guess part of the upgrade script rewrites the configuration file and removes the PS_IGNORE_UDP_BROADCAST option, too, which would need to be avoided somehow.

Here is my change:

Code: Select all

--- /usr/local/csf/bin/regex.pm~	2014-11-26 09:52:01.585117465 +1100
+++ /usr/local/csf/bin/regex.pm	2014-11-26 09:52:06.849117285 +1100
@@ -460,8 +460,8 @@
 	if ($line !~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall:/) {return}
 	if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall: \*INVALID\*/ and $config{PS_PORTS} !~ /INVALID/) {return}
 
-	if ($line =~ /IN=\S+.*SRC=(\S+).*PROTO=(\w+).*DPT=(\d+)/) {
-        $ip = $1; $proto = $2; $port = $3; $ip =~ s/^::ffff://;
+	if ($line =~ /IN=\S+.*SRC=(\S+).*DST=(\S+).*PROTO=(\w+).*DPT=(\d+)/) {
+        $ip = $1; $dst = $2; $proto = $3; $port = $4; $ip =~ s/^::ffff://;
 		if ($config{PS_PORTS} !~ /OPEN/) {
 			my $hit = 0;
 			if ($proto eq "TCP" and $line =~ /kernel: Firewall: \*TCP_IN Blocked\*/) {
@@ -479,6 +479,10 @@
 				}
 			}
 			elsif ($proto eq "UDP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*UDP_IN Blocked\*/) {
+				if ($config{PS_IGNORE_UDP_BROADCAST} and ($dst == "255.255.255.255" or $dst == $config{PS_IGNORE_UDP_BROADCAST})) {
+					if ($config{DEBUG} >= 1) {&logfile("debug: *Port Scan* ignored UDP_IN broadcast: $ip:$port")}
+					return;
+				}
 				foreach my $ports (split(/\,/,$config{UDP_IN})) {
 					if ($ports =~ /\:/) {
 						my ($start,$end) = split(/\:/,$ports);

Re: Allow UDP broadcasts to be ignored

Posted: 18 Jan 2017, 08:53
by ForumAdmin
A feature that addresses this has been added to csf v9.29 which we have just released:
http://blog.configserver.com/

Re: Allow UDP broadcasts to be ignored

Posted: 18 Jan 2017, 20:36
by isfs
It looks great! I'll try it out. Thanks.