CSF, CC_ALLOW_FILTER, and ipset

T

tomdchi

Well-Known Member
Feb 24, 2008
142
4
68
Atlanta, GA
cPanel Access Level
DataCenter Provider
I am trying to only allow IP's from US and Canada through the firewall. It appeared that CC_ALLOW_FILTER would do this but it recommended that LF_IPSET be set to on. This required ipset to be installed. So CC_ALLOW_FILTER is set to US,CA, LF_IPSET is on and ipset is installed but CSF is not blocking connections from other countries.

I did initally see this error on CSF restart:
Code: 
csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
I increased LF_IPSET_MAXELEM and after restart no errors where shown.

Code: 
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Flushing chain `cphulk'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Deleting chain `cphulk'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* '
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0
REJECT  all opt    in * out *  ::/0  -> ::/0  reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
DENYIN  all opt    in !lo out *  ::/0  -> ::/0
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt    in * out *  ::/0  -> ::/0
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
DROP  all opt -- in !lo out *  185.43.209.168  -> 0.0.0.0/0
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 185.43.209.168  reject-with icmp-port-unreachable
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
csf: IPSET creating set bl_SPAMEDROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_SPAMEDROP src
csf: IPSET creating set bl_6_SPAMEDROP
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_SPAMEDROP src
csf: IPSET loading set bl_SPAMEDROP with 130 entries
csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
SPAMEDROP  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
SPAMEDROP  all opt    in !lo out *  ::/0  -> ::/0
csf: IPSET creating set bl_HONEYPOT
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_HONEYPOT src
csf: IPSET creating set bl_6_HONEYPOT
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_HONEYPOT src
csf: IPSET loading set bl_HONEYPOT with 49 entries
csf: IPSET loading set bl_6_HONEYPOT with 0 entries
HONEYPOT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
HONEYPOT  all opt    in !lo out *  ::/0  -> ::/0
csf: IPSET creating set bl_DSHIELD
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_DSHIELD src
csf: IPSET creating set bl_6_DSHIELD
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_DSHIELD src
csf: IPSET loading set bl_DSHIELD with 20 entries
csf: IPSET loading set bl_6_DSHIELD with 0 entries
DSHIELD  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DSHIELD  all opt    in !lo out *  ::/0  -> ::/0
csf: Generating /etc/exim.smtpauth
csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
csf: IPSET creating set cc_ca
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_ca src
csf: IPSET loading set cc_ca with 16099 entries
CC_ALLOWF  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
CC_ALLOWF  all opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  state RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  state RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt    in lo out *  ::/0  -> ::/0
ACCEPT  all opt    in * out lo  ::/0  -> ::/0
REJECT  all opt    in * out !lo  ::/0  -> ::/0  reject-with icmp6-port-unreachable
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0

Can someone help me figure out why connections from other countries are still being allowed?
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,291
313
Houston
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Very high CPU loads from brute force attempts - CSF/LFD Security 14
S CSF TCP Ports Security 3
leonep csf does not BAN ip for all rules. some rules just blocked on modsec, other rules ban IP Security 7
D CSF keeps blocking IP addresses of customers. Security 8
G CSF's CC_ALLOW_FILTER blocking cURL Security 1
Similar threads
Very high CPU loads from brute force attempts - CSF/LFD
CSF TCP Ports
csf does not BAN ip for all rules. some rules just blocked on modsec, other rules ban IP
CSF keeps blocking IP addresses of customers.
CSF's CC_ALLOW_FILTER blocking cURL
Top Bottom