Linode Forum :: Firewall Issues.... STUMPED

Linode Forum https://forum.linode.com/

Firewall Issues.... STUMPED https://forum.linode.com/viewtopic.php?f=19&t=6641	Page 1 of 1

Author:

eld101 [ Wed Feb 02, 2011 8:05 pm ]

Post subject:

Firewall Issues.... STUMPED

I was setting up a firewall from http://www.securecentos.com/basic-security/install-firewall/

I went through the setup step by step, but web connections on port 80 are being blocked. If I stop the firewall apache seems to work. When started it stops working again.

From my logs...

Code:

Feb  2 18:41:27 dev kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=fe:fd:ad:ff:e4:a8:88:43:e1:7c:75:3f:08:00 SRC=184.57.51.14 DST=173.255.228.168 LEN=56 TOS=0x00 PREC=0x00 TTL=113 ID=26865 DF PROTO=TCP SPT=63533 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

I did notice some funky stuff going on when I start the firewall, which im thinking must be the issue.

Code:


[root@dev ~]# /usr/local/sbin/apf --start
: command not foundline 539:
apf(9881): {glob} activating firewall
: command not foundline 539:
: command not foundline 539:
apf(9923): {glob} determined (IFACE_IN) eth0 has address 173.255.228.168
apf(9923): {glob} determined (IFACE_OUT) eth0 has address 173.255.228.168
apf(9923): {glob} loading preroute.rules
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
apf(9923): {resnet} downloading http://rfxn.com/downloads/reserved.networks
apf(9923): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(9923): {glob} loading reserved.networks
apf(9923): {glob} loading bt.rules
apf(9923): {php} downloading http://rfxn.com/downloads/php_list
apf(9923): {php} parsing php_list into /etc/apf/php_hosts.rules
apf(9923): {php} loading php_hosts.rules
apf(9923): {dshield} downloading http://feeds.dshield.org/top10-2.txt
apf(9923): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
apf(9923): {dshield} loading ds_hosts.rules
apf(9923): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso
apf(9923): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(9923): {sdrop} loading sdrop_hosts.rules
apf(9923): {glob} loading common drop ports
apf(9923): {blk_ports} deny all to/from tcp port 135:139
apf(9923): {blk_ports} deny all to/from udp port 135:139
apf(9923): {blk_ports} deny all to/from tcp port 111
apf(9923): {blk_ports} deny all to/from udp port 111
apf(9923): {blk_ports} deny all to/from tcp port 513
apf(9923): {blk_ports} deny all to/from udp port 513
apf(9923): {blk_ports} deny all to/from tcp port 520
apf(9923): {blk_ports} deny all to/from udp port 520
apf(9923): {blk_ports} deny all to/from tcp port 445
apf(9923): {blk_ports} deny all to/from udp port 445
apf(9923): {blk_ports} deny all to/from tcp port 1433
apf(9923): {blk_ports} deny all to/from udp port 1433
apf(9923): {blk_ports} deny all to/from tcp port 1434
apf(9923): {blk_ports} deny all to/from udp port 1434
apf(9923): {blk_ports} deny all to/from tcp port 1234
apf(9923): {blk_ports} deny all to/from udp port 1234
apf(9923): {blk_ports} deny all to/from tcp port 1524
apf(9923): {blk_ports} deny all to/from udp port 1524
apf(9923): {blk_ports} deny all to/from tcp port 3127
apf(9923): {blk_ports} deny all to/from udp port 3127
apf(9923): {pkt_sanity} set active PKT_SANITY
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
apf(9923): {pkt_sanity} deny all fragmented udp
apf(9923): {pkt_sanity} deny inbound tcp port 0
apf(9923): {pkt_sanity} deny outbound tcp port 0
apf(9923): {blk_p2p} set active BLK_P2P
apf(9923): {blk_p2p} deny all to/from tcp port 1214
apf(9923): {blk_p2p} deny all to/from udp port 1214
apf(9923): {blk_p2p} deny all to/from tcp port 2323
apf(9923): {blk_p2p} deny all to/from udp port 2323
apf(9923): {blk_p2p} deny all to/from tcp port 4660:4678
apf(9923): {blk_p2p} deny all to/from udp port 4660:4678
apf(9923): {blk_p2p} deny all to/from tcp port 6257
apf(9923): {blk_p2p} deny all to/from udp port 6257
apf(9923): {blk_p2p} deny all to/from tcp port 6699
apf(9923): {blk_p2p} deny all to/from udp port 6699
apf(9923): {blk_p2p} deny all to/from tcp port 6346
apf(9923): {blk_p2p} deny all to/from udp port 6346
apf(9923): {blk_p2p} deny all to/from tcp port 6347
apf(9923): {blk_p2p} deny all to/from udp port 6347
apf(9923): {blk_p2p} deny all to/from tcp port 6881:6889
apf(9923): {blk_p2p} deny all to/from udp port 6881:6889
apf(9923): {blk_p2p} deny all to/from tcp port 6346
apf(9923): {blk_p2p} deny all to/from udp port 6346
apf(9923): {blk_p2p} deny all to/from tcp port 7778
apf(9923): {blk_p2p} deny all to/from udp port 7778
apf(9923): {glob} SET_REFRESH is set to 10 minutes
apf(9923): {glob} loading log.rules
apf(9923): {glob} virtual net subsystem disabled.
: command not foundline 539:
apf(9923): {glob} loading main.rules
apf(9923): {glob} opening inbound tcp port 222 on 0/0
apf(9923): {glob} opening inbound icmp type 3 on 0/0
apf(9923): {glob} opening inbound icmp type 5 on 0/0
apf(9923): {glob} opening inbound icmp type 11 on 0/0
apf(9923): {glob} opening inbound icmp type 0 on 0/0
apf(9923): {glob} opening inbound icmp type 30 on 0/0
apf(9923): {glob} opening inbound icmp type 8 on 0/0
apf(9923): {glob} resolv dns discovery for 207.192.69.5
apf(9923): {glob} resolv dns discovery for 97.107.133.4
apf(9923): {glob} resolv dns discovery for 207.192.69.4
apf(9923): {glob} loading postroute.rules
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
apf(9923): {glob} default (egress) output accept
apf(9923): {glob} default (ingress) input drop
apf(9881): {glob} firewall initalized
apf(9881): {glob} fast load snapshot saved
[root@dev ~]#

I have googled the "Unknown error 4294967295" but really haven't gotten to far, but the ": command not foundline 539:" can't be good either.

Any ideas???

Author:	hoopycat [ Wed Feb 02, 2011 9:04 pm ]
Post subject:
You probably need to add port 80 to either IG_TCP_CPORTS in your conf.apf or add a line to allow.rules. Look around for "222" and where ever you see that, add a similar entry with 80

Author:	eld101 [ Wed Feb 02, 2011 9:12 pm ]
Post subject:
Thanks Hoopy! You are the man. I had it somewhere else which must have been conflicting... There were to lines with IG_TCP_CPORTS....must have had the one with only 222 over writing the one with all the other ports.

Author:	hoopycat [ Thu Feb 03, 2011 12:31 am ]
Post subject:
Yup, the last one wins. apf's configuration is a shell script, with all the benefits and drawbacks that implies. Including that.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/