CSF Port Block Issue

Post Reply
mhsgsl
Junior Member
Posts: 8
Joined: 16 Jan 2017, 11:08

CSF Port Block Issue

Post by mhsgsl »

for many years i used this rules and it worked but recently i found it stop working, eg, i removed port 22 from csf config to block global access to this port, and added some IPs to whitelist csf.allow to able to access this port. only some IPs. everything worked as well but recently i found this port is open to all. i restarted csf, it fixed but after some days when i tested from a random IP outside csf.allow i can see it connect to that port. but it should be limited to IP i added to csf.allow. any solution ? or is a bug ?

CLOUDLINUX 6.10 [star] v82.0.16
server is updated kernel and software
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: CSF Port Block Issue

Post by BallyBasic79 »

I hope things have been working better. It could very well be a bug, but the information provided is insufficient to verify that. To empower others here to support you, provide more specific detail regarding your configuration and settings. Sharing relevant terminal and log reports can help as well.
mhsgsl
Junior Member
Posts: 8
Joined: 16 Jan 2017, 11:08

Re: CSF Port Block Issue

Post by mhsgsl »

i can't share server details as it is running server. but
all modules for csf is installed and csf dont show any log or error. maybe it is kernel side or iptables issue,

TCP_IN: 20,21,25,80,110,143,443,465,587,993,995,2500,2502,2504,49152:65534
heklp me where i can find more report and logs ?

this is IPtabales:

Chain INPUT (policy DROP)
target prot opt source destination
cP-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 209.244.0.3 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 209.244.0.3 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 209.244.0.3 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 209.244.0.3 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 23.228.66.210 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 23.228.66.210 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 23.228.66.210 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 23.228.66.210 0.0.0.0/0 udp spt:53
ACCEPT tcp -- 23.228.66.66 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 23.228.66.66 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 23.228.66.66 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 23.228.66.66 0.0.0.0/0 udp spt:53
LOCALINPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 50/sec burst 5
LOGDROPIN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2502
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2504
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpts:49152:65534
LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
cP-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)
target prot opt source destination
cpanel-dovecot-solr all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 209.244.0.3 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 209.244.0.3 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 209.244.0.3 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 209.244.0.3 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 23.228.66.210 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 23.228.66.210 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 23.228.66.210 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 23.228.66.210 udp spt:53
ACCEPT tcp -- 0.0.0.0/0 23.228.66.66 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 23.228.66.66 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 23.228.66.66 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 23.228.66.66 udp spt:53
LOCALOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVALID tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 50/sec burst 5
LOGDROPOUT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:37
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:43
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:873
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:1235
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2086
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2087
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2089
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2195
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:2703
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:3456
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4082
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4083
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4084
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:4085
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:6800
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8081
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8332
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpts:49152:65534
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53
LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)
target prot opt source destination
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.121.86 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.121.85 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.121.83 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.121.82 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.123.3 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:1022
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:1021
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:1020
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:40
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:16
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:14
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:10
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:8
ACCEPT tcp -- 208.74.123.2 0.0.0.0/0 tcp dpt:4
ACCEPT tcp -- 199.66.201.132 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 199.66.201.132 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 199.66.201.132 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 91.199.212.132 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 91.199.212.132 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 91.199.212.132 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 178.255.81.13 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 178.255.81.13 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 178.255.81.13 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 178.255.81.12 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 178.255.81.12 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 178.255.81.12 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 184.94.197.2 0.0.0.0/0
ACCEPT all -- 35.161.131.175 0.0.0.0/0
ACCEPT all -- 184.94.197.3 0.0.0.0/0
ACCEPT all -- 184.94.197.4 0.0.0.0/0
ACCEPT all -- 184.94.197.5 0.0.0.0/0
ACCEPT all -- 184.94.197.6 0.0.0.0/0
ACCEPT all -- 69.175.3.10 0.0.0.0/0
ACCEPT all -- 148.251.142.83 0.0.0.0/0
ACCEPT all -- 69.175.3.6 0.0.0.0/0
ACCEPT all -- 69.175.106.198 0.0.0.0/0
ACCEPT all -- 208.74.123.98 0.0.0.0/0
ACCEPT all -- 208.74.121.106 0.0.0.0/0
ACCEPT all -- 69.10.42.69 0.0.0.0/0
ACCEPT all -- 69.175.92.60 0.0.0.0/0
ACCEPT all -- 208.74.121.103 0.0.0.0/0
ACCEPT all -- 208.74.121.102 0.0.0.0/0
ACCEPT all -- 208.74.121.101 0.0.0.0/0
ACCEPT all -- 208.74.121.100 0.0.0.0/0
ACCEPT all -- 209.244.0.3 0.0.0.0/0
ACCEPT all -- 23.228.66.210 0.0.0.0/0
ACCEPT all -- 23.228.66.66 0.0.0.0/0


Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 184.94.197.2
ACCEPT all -- 0.0.0.0/0 35.161.131.175
ACCEPT all -- 0.0.0.0/0 184.94.197.3
ACCEPT all -- 0.0.0.0/0 184.94.197.4
ACCEPT all -- 0.0.0.0/0 184.94.197.5
ACCEPT all -- 0.0.0.0/0 184.94.197.6
ACCEPT all -- 0.0.0.0/0 69.175.3.10
ACCEPT all -- 0.0.0.0/0 148.251.142.83
ACCEPT all -- 0.0.0.0/0 69.175.3.6
ACCEPT all -- 0.0.0.0/0 69.175.106.198
ACCEPT all -- 0.0.0.0/0 208.74.123.98
ACCEPT all -- 0.0.0.0/0 208.74.121.106
ACCEPT all -- 0.0.0.0/0 69.10.42.69
ACCEPT all -- 0.0.0.0/0 69.175.92.60
ACCEPT all -- 0.0.0.0/0 208.74.121.103
ACCEPT all -- 0.0.0.0/0 208.74.121.102
ACCEPT all -- 0.0.0.0/0 208.74.121.101
ACCEPT all -- 0.0.0.0/0 208.74.121.100
ACCEPT all -- 0.0.0.0/0 209.244.0.3
ACCEPT all -- 0.0.0.0/0 23.228.66.210
ACCEPT all -- 0.0.0.0/0 23.228.66.66


Chain DENYIN (1 references)
target prot opt source destination

Chain DENYOUT (1 references)
target prot opt source destination

Chain INVALID (2 references)
target prot opt source destination
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW

Chain INVDROP (10 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)
target prot opt source destination
ALLOWIN all -- 0.0.0.0/0 0.0.0.0/0
DENYIN all -- 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)
target prot opt source destination
ALLOWOUT all -- 0.0.0.0/0 0.0.0.0/0
DENYOUT all -- 0.0.0.0/0 0.0.0.0/0
UDPFLOOD udp -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (2 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (796 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain UDPFLOOD (1 references)
target prot opt source destination
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 owner UID match 25
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 owner UID match 487
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 owner UID match 0
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/sec burst 1
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDPFLOOD* '
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain cP-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2086
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2095
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:26
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2079
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2087
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2096
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2077
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2078
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:579
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2083
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain cpanel-dovecot-solr (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 owner UID match 485
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 owner UID match 0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport sports 8984,7984 reject-with icmp-port-unreachable
mhsgsl
Junior Member
Posts: 8
Joined: 16 Jan 2017, 11:08

Re: CSF Port Block Issue

Post by mhsgsl »

UPdate:
this maybe related to chaon added by cpanel.
our test show it and conversation by cpanel:
I believe this may relate to another case we have open where the "cP-Firewall-1-INPUT" chain is added to iptables when modiyfing an account. In order to ensure that this is the cause, would it be possible for you to try removing the "cP-Firewall-1-INPUT" chain in iptables, ensure the chain was removed, and then modify an account in WHM >> Modify an Account?

Once complete, you can check if the chain was re-added:
====
iptables -nL | grep 'cP-Firewall-1-INPUT'
====
mhsgsl
Junior Member
Posts: 8
Joined: 16 Jan 2017, 11:08

Re: CSF Port Block Issue

Post by mhsgsl »

Update:
This issue relates to another internal case we have open "CPANEL-29051" where the "cP-Firewall-1-INPUT" chain is added to iptables when modifying an account. While I do not have an estimated time for when this issue will be resolved, you may follow our changelogs here for any resolutions that were released with cPanel updates: https://go.cpanel.net/changelogs

To ensure this issue does not persist in the meantime, I have commented out the lines that are responsible for adding this chain in the perl module /usr/local/cpanel/Cpanel/Services/Firewall.pm after securing a backup of the module:

Here are the lines that I modified. The lines starting with '-' include my changes. The lines starting with '+' are the original lines.

# Rules for iptables
-# my $iptables_rules = [
-# "-N cP-Firewall-1-INPUT",
-# ( map { /^(\S+)\s+(.*)$/; "-I $1 1 $2" } @lines_to_insert ),
-# ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $_ -j ACCEPT" } @allow_tcp_ports ),
-# ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport $_ -j ACCEPT" } @allow_udp_ports ),
-# _get_port_authority_rules(),
-# ];
+ my $iptables_rules = [
+ "-N cP-Firewall-1-INPUT",
+ ( map { /^(\S+)\s+(.*)$/; "-I $1 1 $2" } @lines_to_insert ),
+ ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport $_ -j ACCEPT" } @allow_tcp_ports ),
+ ( map { "-A cP-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport $_ -j ACCEPT" } @allow_udp_ports ),
+ _get_port_authority_rules(),
+ ];
Post Reply