Help - Search - Members - Calendar
Full Version: APF Firewall and deny rules
The Planet Forums > Control Panels > cPanel/WHM
mitt
Dec 21 2005, 02:56 PM
I am running apf on my box and this is the third time I have had someone contact me saying they can't get to the sites hosted on my server. The previous two times I upgraded APF and it seemed to cure the problem. However on all instances I don't know why the people are being blocked. In the conf file for APF I have double checked to see if it is loading the reserved or private rules and if the visitors IP is in the deny_hosts.rules file and in all cases it was not found in any of them. I have looked through all the allow, deny and global allow and deny rules and there is nothing there to show its blocking the host. If I disable the firewall and have the visitor try the site loads without a problem. As soon as the firewall is started again, the site is unreachable.

Is there some other place I should be looking for hosts that are being blocked? This is start to become very frustrating.

Is there a better firewall out there that can be used, I'm starting to get fed up with APF
polystigma
Dec 21 2005, 05:31 PM
look in /var/log/messages and see if you see the IP in any of the '** IN_TCP DROP **' lines at the times they claim they are being blocked.
There could be many reasons they cant reach the server.
mitt
Dec 22 2005, 11:20 AM
I looked in /var/log/messages for a IN_TCP Drop with the IP I captured from the user when I had them try when the firewall was disabled and I don't find it in the drops.
polystigma
Dec 22 2005, 11:30 AM
if you dont find it, its not likely its being blocked by you.(APF will list the blocks)
Further clicnt side investigation is order.
mitt
Dec 22 2005, 11:37 AM
But why can the client view the site when I shut down the firewall?
polystigma
Dec 22 2005, 06:01 PM
maybe the client is connecting through a proxy server trying a different port that apf blocks.
Have the client do a tracert while being blocked and see if you find any of those IPs blocked in the log file.
Catalyst
Dec 22 2005, 06:13 PM
I've seen that happen sometimes before... Is `SET_VNET="0"` in /etc/apf/conf.apf?
aspen0
Dec 22 2005, 06:45 PM
This happens to me too.

Here is what /sbin/iptables -L reads when APF is turned on.

QUOTE
TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet state NEW
SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW
DROP all -- 1.0.0.0/8 anywhere
DROP all -- 2.0.0.0/8 anywhere
DROP all -- 5.0.0.0/8 anywhere
DROP all -- 7.0.0.0/8 anywhere
DROP all -- 23.0.0.0/8 anywhere
DROP all -- 27.0.0.0/8 anywhere
DROP all -- 31.0.0.0/8 anywhere
DROP all -- 36.0.0.0/8 anywhere
DROP all -- 37.0.0.0/8 anywhere
DROP all -- 39.0.0.0/8 anywhere
DROP all -- 41.0.0.0/8 anywhere
DROP all -- 42.0.0.0/8 anywhere
DROP all -- ppp-net.infoweb.ne.jp/8 anywhere
DROP all -- 59.0.0.0/8 anywhere
DROP all -- 60.0.0.0/8 anywhere
DROP all -- 032-238-079.area1.spcsdns.net/8 anywhere
DROP all -- 71.0.0.0/8 anywhere
DROP all -- 72.0.0.0/8 anywhere
DROP all -- 73.0.0.0/8 anywhere
DROP all -- 74.0.0.0/8 anywhere
DROP all -- 75.0.0.0/8 anywhere
DROP all -- 76.0.0.0/8 anywhere
DROP all -- 77.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 79.0.0.0/8 anywhere
DROP all -- 83.0.0.0/8 anywhere
DROP all -- catv54000000.pool.t-online.hu/8 anywhere
DROP all -- 85.0.0.0/8 anywhere
DROP all -- 86.0.0.0/8 anywhere
DROP all -- 87.0.0.0/8 anywhere
DROP all -- 88.0.0.0/8 anywhere
DROP all -- 89.0.0.0/8 anywhere
DROP all -- 90.0.0.0/8 anywhere
DROP all -- 91.0.0.0/8 anywhere
DROP all -- 92.0.0.0/8 anywhere
DROP all -- 93.0.0.0/8 anywhere
DROP all -- 94.0.0.0/8 anywhere
DROP all -- 95.0.0.0/8 anywhere
DROP all -- 96.0.0.0/8 anywhere
DROP all -- 97.0.0.0/8 anywhere
DROP all -- 98.0.0.0/8 anywhere
DROP all -- 99.0.0.0/8 anywhere
DROP all -- 100.0.0.0/8 anywhere
DROP all -- 101.0.0.0/8 anywhere
DROP all -- 102.0.0.0/8 anywhere
DROP all -- 103.0.0.0/8 anywhere
DROP all -- 104.0.0.0/8 anywhere
DROP all -- 105.0.0.0/8 anywhere
DROP all -- 106.0.0.0/8 anywhere
DROP all -- 107.0.0.0/8 anywhere
DROP all -- 108.0.0.0/8 anywhere
DROP all -- 109.0.0.0/8 anywhere
DROP all -- 110.0.0.0/8 anywhere
DROP all -- 111.0.0.0/8 anywhere
DROP all -- 112.0.0.0/8 anywhere
DROP all -- 113.0.0.0/8 anywhere
DROP all -- 114.0.0.0/8 anywhere
DROP all -- 115.0.0.0/8 anywhere
DROP all -- 116.0.0.0/8 anywhere
DROP all -- 117.0.0.0/8 anywhere
DROP all -- 118.0.0.0/8 anywhere
DROP all -- 119.0.0.0/8 anywhere
DROP all -- 120.0.0.0/8 anywhere
DROP all -- 121.0.0.0/8 anywhere
DROP all -- 122.0.0.0/8 anywhere
DROP all -- 123.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere


etc etc...

Seems like it's blocking a whole lot of IPs there. I certainly didn't set that.

I turn APF off and all that is no longer blocked.
Catalyst
Dec 22 2005, 07:13 PM
QUOTE (aspen0)
Seems like it's blocking a whole lot of IPs there. I certainly didn't set that.
Well, you kinda did, if you've set:
CODE
BLK_MCATNET="1"

BLK_PRVNET="1"

BLK_RESNET="1"
then it'll do that, according to the blocks listed in /etc/apf/internals --- reserved.networks, multicast.networks, private.networks. Yet another settings is the `USE_DS="1"` line, which downloads the "Top attacking IP's" from dshield.org. All of this is documented in the conf.apf file. ;-)

The problem is that occasionally, reserved.networks change. You'll want to keep up with the latest version of APF, and set `USE_RD="1"` so that it'll download the "newest" version of the file (which is changing a lot more frequently lately as formerly reserved networks are being opened up around the world).

The only real unknown is the `SET_VNET="1"` line. What it *should* do is loop through all of the IP addresses on your server and set each one with an individual set of rules. I've observed a situation, multiple times on multiple servers, where even though the IPTABLES rules that APF is building are perfectly sound & correct, it ends up blocking some random netblock or IP for no apparent reason. Setting `SET_VNET="0"` will fix it almost every time, so it's definitely something Kernel-related (is there a setting for max chains?).

Anyway ... enough of my banter. The coffee is hot.
mitt
Dec 23 2005, 01:33 PM
I added a rule to the allow list for the one person I know is a problem and they still can't access the site.
mitt
Dec 23 2005, 01:58 PM
SET_VNET does = 0
mitt
Dec 23 2005, 02:09 PM
I have been reading over the conf.apf and I found a couple lines that don't look like they are right.

# Set the default TOS value # Set the default TOS port range
TOS_DEF_TOS="4" TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service # 2: Ports for Minimize-Cost
TOS_0="" TOS_2=""

Should these have a break in them look like

# Set the default TOS value
TOS_DEF_TOS="4"
# Set the default TOS port range
TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service
TOS_0=""
# 2: Ports for Minimize-Cost
TOS_2=""
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.