The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF Firewall - Firebox II - CPanel Will Not Load

Discussion in 'General Discussion' started by dnsinic, May 26, 2005.

  1. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    APF Firewall - HTTPS - CPanel Will Not Load

    My current system works fine I've even imported the settings and version of APF over to the new box with no success. Cpanel works fine as long as APF is not runnning. APF does not appear to affect anything else but CPanel.

    WHM 9.9.9 cPanel 9.9.9-S15
    Fedora i686 - WHM X v3.1.0
    APF v. 0.9.4

    The new system I am working with is

    WHM 10.1.0 cPanel 10.2.0-R82
    Fedora i686 - WHM X v3.1.0
    Tried both APF v. 0.9.5 & 0.9.4

    Everything works fine and I can sometimes get the password prompt for CPanel but as it starts to load it hangs and nothing happens.

    I have the of course modified conf.apf for CPanel


    DEVM="1"

    FWPATH="/etc/apf"

    IF="eth0"

    TIF=""

    LGATE_MAC=""

    EN_VNET="0"

    MONOKERN="0"

    DEF_TOS="4"

    TCP_STOP="DROP"

    UDP_STOP="DROP"

    DSTOP="DROP"

    ICMP_LIM="14/s"

    RESV_DNS="0"

    RESV_DNS_DROP="1"

    BLK_MCATNET="0"

    BLK_PRVNET="0"

    BLK_RESNET="0"

    SYSCTL_CONNTRACK="34576"

    SYSCTL_TCP="1"

    SYSCTL_SYN="1"

    SYSCTL_ROUTE="0"

    SYSCTL_LOGMARTIANS="0"

    SYSCTL_ECN="0"

    SYSCTL_SYNCOOKIES="1"

    SYSCTL_OVERFLOW="0"

    CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"

    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666"

    IG_UDP_CPORTS="21,53,465,873"

    IG_ICMP_TYPES="3,5,11,0,30,8"

    EGF="1"

    EG_TCP_CPORTS="21,25,26,37,43,53,80,113,465,873,2089,3306"

    EG_UDP_CPORTS="20,21,53,465,873"

    EG_ICMP_TYPES="all"

    EG_TCP_UID=""

    EG_UDP_UID=""

    USE_DS="0"

    DS_URL="feeds.dshield.org/block.txt" # block.txt url (no *://)
    DS_URL_PROT="http" # protocol to use for wget

    USE_AD="0"

    USE_RGT="0"

    GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
    GA_URL_PROT="http" # protocol for use with wget

    GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
    GD_URL_PROT="http" # protocol for use with wget

    IPTLOG="/var/log/apf_log"

    LGATE_LOG="0"

    DROP_LOG="1"

    EXLOG="0"

    LRATE="45"

    CNFINT="$FWPATH/internals/internals.conf"
    . $CNFINT


    Anyone got any ideas what I’m doing wrong?
     
    #1 dnsinic, May 26, 2005
    Last edited: Jun 7, 2005
  2. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I just tried to access phpMyAdmin and it did not work, I think this is https/SSL related.

    Still looking for any help anyone might have to offer.
     
  3. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Can you get access to WHM? If not, I'd guess it's due to the space in the IG_TCP_CPORTS string.
     
  4. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I checked for spaces in conf.apf strings but none exist. It's not CPanel it's all of https that's giving me the problem. I did a netstat with it working and a netstat where it's not working here's what I got.

    Opening phpMyAdmin

    Failure To Load
    netstat -p With APF

    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2742 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 427 localhost:33501 localhost:2086 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 localhost:2086 localhost:33501 ESTABLISHED 24420/whostmgrd - s
    tcp 0 728 host.mydomain.com:22 0-0-0-0.my.ip.address:2378 ESTABLISHED 13352/1


    Succesful Load
    netstat -p Without APF

    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2742 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2743 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2746 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2747 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2744 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2745 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2750 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2751 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2748 TIME_WAIT -
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2749 TIME_WAIT -
    tcp 0 0 localhost:33512 localhost:2086 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 localhost:33513 localhost:2086 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 localhost:33510 localhost:2086 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 localhost:33511 localhost:2086 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 localhost:2086 localhost:33502 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33503 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33512 ESTABLISHED 24484/whostmgrd - s
    tcp 0 0 localhost:2086 localhost:33513 ESTABLISHED 24486/whostmgrd - s
    tcp 0 0 localhost:2086 localhost:33504 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33505 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33506 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33507 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33508 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33509 TIME_WAIT -
    tcp 0 0 localhost:2086 localhost:33510 ESTABLISHED 24482/whostmgrd - s
    tcp 0 0 localhost:2086 localhost:33511 ESTABLISHED 24483/whostmgrd - s
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2754 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2752 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 0 host.mydomain.com:2087 0-0-0-0.my.ip.address:2753 ESTABLISHED 4646/stunnel-4.04lo
    tcp 0 4220 host.mydomain.com:22 0-0-0-0.my.ip.address:2378 ESTABLISHED 13352/1

    This now becomes and apf firewall question unrelated to CPanel, but I'm all ears for anyone who might have some advise.

    Thanks.
     
  5. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    unless the forums did this you have a space between 2082, 2083 in your config file IG_TCP_CPORTS
     
  6. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    There is no space in the actual conf.apf, sorry about that.

    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666"

    I've posted the problem over at http://forums.rfxnetworks.com/viewtopic.php?t=648

    I've also contacted my host provider and asked that they remove the Firebox II for the time being.

    So far no movement anywhere but here, so thanks folks.
     
    #6 dnsinic, May 27, 2005
    Last edited: May 27, 2005
  7. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Have you tried reinstalling APF ?
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Also do an apf -st and see what the status is showing.
     
  9. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    May 27 00:16:17 fedoracore3 apf(17763): determined (OUT_IF) eth0 has address 209.51.211.90
    May 27 00:16:17 fedoracore3 apf(17763): determined (IN_IF) eth0 has address xxx.xxx.xxx.xxx
    May 27 00:16:17 fedoracore3 apf(17763): development mode enabled!; firewall will flush every 5 minutes.
    May 27 00:16:17 fedoracore3 apf(17728): activating firewall
    May 27 00:16:14 fedoracore3 apf(17700): firewall offline
    May 27 00:16:14 fedoracore3 apf(17700): flushing & zeroing chain policies
    May 27 00:15:39 fedoracore3 apf(17633): firewall offline
    May 27 00:15:39 fedoracore3 apf(17633): flushing & zeroing chain policies
    May 27 00:13:26 fedoracore3 apf(16969): firewall initalized
    May 27 00:13:26 fedoracore3 apf(17004): default (ingress) input drop
    May 27 00:13:26 fedoracore3 apf(17004): default (egress) output accept
    May 27 00:13:26 fedoracore3 apf(17004): loading postroute.rules
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 8 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 30 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 0 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 11 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 5 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound icmp type 3 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound udp port 5353 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound tcp port 3306 on 0/0
    May 27 00:13:26 fedoracore3 apf(17004): opening inbound tcp port 2096 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 2095 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 2087 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 2086 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 2083 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 2082 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 22 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 995 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 993 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 443 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 143 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 111 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 80 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 21 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): opening inbound tcp port 1 on 0/0
    May 27 00:13:25 fedoracore3 apf(17004): loading main.rules
    May 27 00:13:25 fedoracore3 apf(17004): virtual net subsystem disabled.
    May 27 00:13:25 fedoracore3 apf(17004): loading log.rules
    May 27 00:13:25 fedoracore3 apf(17004): loading ad.rules
    May 27 00:13:25 fedoracore3 apf(17004): loading bt.rules
    May 27 00:13:25 fedoracore3 apf(17004): loading allow_hosts.rules
    May 27 00:13:25 fedoracore3 apf(17004): loading preroute.rules
    May 27 00:13:25 fedoracore3 apf(17004): setting sysctl_syn enabled.
    May 27 00:13:25 fedoracore3 apf(17004): setting sysctl_tcp enabled.
    May 27 00:13:25 fedoracore3 apf(17004): setting sysctl_syncookies enabled.
    May 27 00:13:25 fedoracore3 apf(17004): loading sysctl.rules
     
  10. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    DEVM="1"
    FWPATH="/etc/apf"
    IF="eth0"
    TIF=""
    LGATE_MAC=""
    EN_VNET="0"
    MONOKERN="0"
    DEF_TOS="8"
    TCP_STOP="DROP"
    UDP_STOP="DROP"
    DSTOP="DROP"
    ICMP_LIM="14/s"
    RESV_DNS="0"
    RESV_DNS_DROP="1"
    BLK_MCATNET="0"
    BLK_PRVNET="0"
    BLK_RESNET="0"
    SYSCTL_CONNTRACK="34576"
    SYSCTL_TCP="1"
    SYSCTL_SYN="1"
    SYSCTL_ROUTE="0"
    SYSCTL_LOGMARTIANS="0"
    SYSCTL_ECN="0"
    SYSCTL_SYNCOOKIES="1"
    SYSCTL_OVERFLOW="0"
    CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"
    IG_TCP_CPORTS="1,20,21,22,25,26,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666"
    IG_UDP_CPORTS="21,53,465,873,5353"
    IG_ICMP_TYPES="3,5,11,0,30,8"
    EGF="1"
    EG_TCP_CPORTS="21,25,26,37,43,53,80,113,443,465,873,2089,3306"
    EG_UDP_CPORTS="20,21,53,465,873"
    EG_ICMP_TYPES="all"
    EG_TCP_UID=""
    EG_UDP_UID=""
    USE_DS="0"
    DS_URL="feeds.dshield.org/block.txt"
    DS_URL_PROT="http"
    USE_AD="1"
    USE_RGT="0"
    GA_URL="yourhost.com/glob_allow.rules"
    GA_URL_PROT="http"
    GD_URL="yourhost.com/glob_deny.rules"
    GD_URL_PROT="http"
    IPTLOG="/var/log/apf_log"
    LGATE_LOG="0"
    DROP_LOG="1"
    EXLOG="0"
    LRATE="45"
    CNFINT="$FWPATH/internals/internals.conf"
    . $CNFINT

    (spaces are attributed to the forum settings and are not in the conf.apf)
     
    #10 dnsinic, May 27, 2005
    Last edited: May 27, 2005
  11. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Reverify the conf.apf file as the post shows a space in a different spot now. 995 ,2082

    If that line in anyway is not 100% correct it will cause issues. Also as mentioned earlier, try re-installing apf from a new downloaded archive.
     
  12. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    The space if being added by the forum as far as I can tell, I going to go back and reverify that I do not have a hidden character in there, the space does not show up otherwise.

    I will try a fresh install.

    I am getting hints from my hosting company that this might be Fedora Core 3 related. They want to reformat this system and load core 2. But I'd rather try and figure this out if that's the case. No point in going backwards at least not just yet.
     
    #12 dnsinic, May 27, 2005
    Last edited: May 27, 2005
  13. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    A Little Radical But It Proves A Point

    This box is wide open and https is still dead

    conf.apf

    DEVM="1"

    FWPATH="/etc/apf"

    IF="eth0"

    TIF=""

    LGATE_MAC=""

    EN_VNET="0"

    MONOKERN="0"

    DEF_TOS="8"

    TCP_STOP="DROP"

    UDP_STOP="DROP"

    DSTOP="DROP"

    ICMP_LIM="14/s"

    RESV_DNS="0"

    RESV_DNS_DROP="1"

    BLK_MCATNET="0"

    BLK_PRVNET="0"

    BLK_RESNET="0"

    SYSCTL_CONNTRACK="34576"

    SYSCTL_TCP="1"

    SYSCTL_SYN="1"

    SYSCTL_ROUTE="0"

    SYSCTL_LOGMARTIANS="0"

    SYSCTL_ECN="0"

    SYSCTL_SYNCOOKIES="1"

    SYSCTL_OVERFLOW="0"

    CDPORTS=""

    IG_TCP_CPORTS="1_65535"

    IG_UDP_CPORTS="1_65535"

    IG_ICMP_TYPES="3,5,11,0,30,8"

    EGF="1"

    EG_TCP_CPORTS="1_65535"

    EG_UDP_CPORTS="1_65535"

    EG_ICMP_TYPES="all"

    EG_TCP_UID=""

    EG_UDP_UID=""

    USE_DS="0"

    DS_URL="feeds.dshield.org/block.txt" # block.txt url (no *://)

    DS_URL_PROT="http" # protocol to use for wget

    USE_AD="1"

    USE_RGT="0"

    GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
    GA_URL_PROT="http" # protocol for use with wget

    GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
    GD_URL_PROT="http" # protocol for use with wget

    IPTLOG="/var/log/apf_log"

    LGATE_LOG="0"

    DROP_LOG="1"

    EXLOG="0"

    LRATE="45"

    CNFINT="$FWPATH/internals/internals.conf"
    . $CNFINT


    ./apf -st


    May 27 13:56:00 fedoracore3 apf(12187): determined (OUT_IF) eth0 has address xxx.xxx.xxxx.xxx
    May 27 13:56:00 fedoracore3 apf(12187): determined (IN_IF) eth0 has address xxx.xxx.xxxx.xxx
    May 27 13:56:00 fedoracore3 apf(12187): development mode enabled!; firewall will flush every 5 minutes.
    May 27 13:56:00 fedoracore3 apf(12152): activating firewall
    May 27 13:55:39 fedoracore3 apf(12095): firewall offline
    May 27 13:55:39 fedoracore3 apf(12095): flushing & zeroing chain policies
    May 27 13:53:04 fedoracore3 apf(11563): firewall initalized
    May 27 13:53:03 fedoracore3 apf(11598): default (ingress) input drop
    May 27 13:53:03 fedoracore3 apf(11598): default (egress) output drop
    May 27 13:53:03 fedoracore3 apf(11598): loading postroute.rules
    May 27 13:53:03 fedoracore3 apf(11598): opening outbound icmp all on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 8 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 30 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 0 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 11 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 5 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound icmp type 3 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening outbound udp port 1:65535 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening outbound tcp port 1:65535 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound udp port 1:65535 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): opening inbound tcp port 1:65535 on 0/0
    May 27 13:53:03 fedoracore3 apf(11598): loading main.rules
    May 27 13:53:03 fedoracore3 apf(11598): virtual net subsystem disabled.
    May 27 13:53:03 fedoracore3 apf(11598): loading log.rules
    May 27 13:53:03 fedoracore3 apf(11598): loading ad.rules
    May 27 13:53:03 fedoracore3 apf(11598): loading bt.rules
    May 27 13:53:03 fedoracore3 apf(11598): loading allow_hosts.rules
    May 27 13:53:03 fedoracore3 apf(11598): loading preroute.rules
    May 27 13:53:03 fedoracore3 apf(11598): setting sysctl_syn enabled.
    May 27 13:53:03 fedoracore3 apf(11598): setting sysctl_tcp enabled.
    May 27 13:53:03 fedoracore3 apf(11598): setting sysctl_syncookies enabled.
    May 27 13:53:03 fedoracore3 apf(11598): loading sysctl.rules

    Fedora Core 3 problem?
     
  14. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    It's this line in /etc/apf/bt.rules

    $IPT -t mangle -A PREROUTING -m state --state INVALID -j $DSTOP

    comment it out and https is now working, I hope this gives someone a big enough clue for a fix.
     
  15. dnsinic

    dnsinic Member

    Joined:
    May 26, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page