I am trying to only allow IP's from US and Canada through the firewall. It appeared that CC_ALLOW_FILTER would do this but it recommended that LF_IPSET be set to on. This required ipset to be installed. So CC_ALLOW_FILTER is set to US,CA, LF_IPSET is on and ipset is installed but CSF is not blocking connections from other countries.
I did initally see this error on CSF restart:
I increased LF_IPSET_MAXELEM and after restart no errors where shown.
Can someone help me figure out why connections from other countries are still being allowed?
I did initally see this error on CSF restart:
Code:
csf: IPSET creating set cc_us
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
Code:
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Flushing chain `cphulk'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Deleting chain `cphulk'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* '
LOG tcp opt in * out * ::/0 -> ::/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* '
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* '
LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* '
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* '
LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all opt in * out * ::/0 -> ::/0
REJECT all opt in * out * ::/0 -> ::/0 reject-with icmp6-port-unreachable
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DENYOUT all opt in * out !lo ::/0 -> ::/0
DENYIN all opt in !lo out * ::/0 -> ::/0
ALLOWOUT all opt in * out !lo ::/0 -> ::/0
ALLOWIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt in * out * ::/0 -> ::/0
INVALID tcp opt in !lo out * ::/0 -> ::/0
INVALID tcp opt in * out !lo ::/0 -> ::/0
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
DROP all opt -- in !lo out * 185.43.209.168 -> 0.0.0.0/0
REJECT all opt -- in * out !lo 0.0.0.0/0 -> 185.43.209.168 reject-with icmp-port-unreachable
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
csf: IPSET creating set bl_SPAMEDROP
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_SPAMEDROP src
csf: IPSET creating set bl_6_SPAMEDROP
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_SPAMEDROP src
csf: IPSET loading set bl_SPAMEDROP with 130 entries
csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
SPAMEDROP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
SPAMEDROP all opt in !lo out * ::/0 -> ::/0
csf: IPSET creating set bl_HONEYPOT
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_HONEYPOT src
csf: IPSET creating set bl_6_HONEYPOT
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_HONEYPOT src
csf: IPSET loading set bl_HONEYPOT with 49 entries
csf: IPSET loading set bl_6_HONEYPOT with 0 entries
HONEYPOT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
HONEYPOT all opt in !lo out * ::/0 -> ::/0
csf: IPSET creating set bl_DSHIELD
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set bl_DSHIELD src
csf: IPSET creating set bl_6_DSHIELD
DROP all opt in * out * ::/0 -> ::/0 match-set bl_6_DSHIELD src
csf: IPSET loading set bl_DSHIELD with 20 entries
csf: IPSET loading set bl_6_DSHIELD with 0 entries
DSHIELD all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DSHIELD all opt in !lo out * ::/0 -> ::/0
csf: Generating /etc/exim.smtpauth
csf: IPSET creating set cc_us
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
csf: IPSET creating set cc_ca
RETURN all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_ca src
csf: IPSET loading set cc_ca with 16099 entries
CC_ALLOWF all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
CC_ALLOWF all opt in !lo out * ::/0 -> ::/0
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
LOGDROPIN icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0
ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt in !lo out * ::/0 -> ::/0 state RELATED,ESTABLISHED
ACCEPT all opt in * out !lo ::/0 -> ::/0 state RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt in lo out * ::/0 -> ::/0
ACCEPT all opt in * out lo ::/0 -> ::/0
REJECT all opt in * out !lo ::/0 -> ::/0 reject-with icmp6-port-unreachable
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
SMTPOUTPUT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
SMTPOUTPUT all opt in * out * ::/0 -> ::/0
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Can someone help me figure out why connections from other countries are still being allowed?