CountryCode blocks applying to outgoing as well?

[websavers]

Hey there,

We had an issue wherein a server couldn't reach the Plesk licensing server, even with port 5224 added to the egress rules. We had RU added to the CC_DENY config which was very clearly the cause (I found the blocked range in iptables). After removing RU from CC_DENY, all worked fine.

I had even tried inserting a rule into csf.allow which created the corresponding iptables rule correctly, yet it wasn't overriding the CC_DENY config (shouldn't it?)

But even more odd is that the CountryCode rules show the following documentation:

# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only

Notice the very end where it says they're for incoming connections only: this was an outgoing connection that it was blocking. Is the documentation wrong or is this a bug?

[ForumAdmin]

That is to be expected. You can connect out to that IP but you cannot receive from it. If you have blocked any IP using CC blocking you would have to whitelist any exceptions you want to them.

[websavers]

So the conclusions here are:

1. Even though the initial connection to the Parallels/Odin server is outgoing, any incoming traffic even if it originates from the outgoing session, will be blocked.
2. To provide an exception to CSF it must be placed in csf.ignore as csf.allow won't get around the CC rules.

Is that right?