CSF, CC_ALLOW_FILTER, and ipset

tomdchi

Well-Known Member
Feb 24, 2008
140
3
68
Atlanta, GA
cPanel Access Level
DataCenter Provider
I am trying to only allow IP's from US and Canada through the firewall. It appeared that CC_ALLOW_FILTER would do this but it recommended that LF_IPSET be set to on. This required ipset to be installed. So CC_ALLOW_FILTER is set to US,CA, LF_IPSET is on and ipset is installed but CSF is not blocking connections from other countries.

I did initally see this error on CSF restart:
Code:
csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
IPSET: [ipset v6.29: Error in line 65537: Hash is full, cannot add more elements]
I increased LF_IPSET_MAXELEM and after restart no errors where shown.

Code:
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Flushing chain `cphulk'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Deleting chain `cphulk'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWF'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `DSHIELD'
Flushing chain `HONEYPOT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Flushing chain `SPAMEDROP'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWF'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `DSHIELD'
Deleting chain `HONEYPOT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Deleting chain `SPAMEDROP'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP6IN Blocked* '
LOG  tcp opt    in * out *  ::/0  -> ::/0  tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP6OUT Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP6IN Blocked* '
LOG  udp opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP6OUT Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP6IN Blocked* '
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0  limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP6OUT Blocked* '
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0
REJECT  all opt    in * out *  ::/0  -> ::/0  reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
DENYIN  all opt    in !lo out *  ::/0  -> ::/0
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt    in * out *  ::/0  -> ::/0
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
csf: FASTSTART loading csf.deny (IPSET)
DROP  all opt -- in !lo out *  185.43.209.168  -> 0.0.0.0/0
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 185.43.209.168  reject-with icmp-port-unreachable
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
csf: IPSET creating set bl_SPAMEDROP
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_SPAMEDROP src
csf: IPSET creating set bl_6_SPAMEDROP
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_SPAMEDROP src
csf: IPSET loading set bl_SPAMEDROP with 130 entries
csf: IPSET loading set bl_6_SPAMEDROP with 0 entries
SPAMEDROP  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
SPAMEDROP  all opt    in !lo out *  ::/0  -> ::/0
csf: IPSET creating set bl_HONEYPOT
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_HONEYPOT src
csf: IPSET creating set bl_6_HONEYPOT
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_HONEYPOT src
csf: IPSET loading set bl_HONEYPOT with 49 entries
csf: IPSET loading set bl_6_HONEYPOT with 0 entries
HONEYPOT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
HONEYPOT  all opt    in !lo out *  ::/0  -> ::/0
csf: IPSET creating set bl_DSHIELD
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set bl_DSHIELD src
csf: IPSET creating set bl_6_DSHIELD
DROP  all opt    in * out *  ::/0  -> ::/0  match-set bl_6_DSHIELD src
csf: IPSET loading set bl_DSHIELD with 20 entries
csf: IPSET loading set bl_6_DSHIELD with 0 entries
DSHIELD  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DSHIELD  all opt    in !lo out *  ::/0  -> ::/0
csf: Generating /etc/exim.smtpauth
csf: IPSET creating set cc_us
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_us src
csf: IPSET loading set cc_us with 66677 entries
csf: IPSET creating set cc_ca
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  match-set cc_ca src
csf: IPSET loading set cc_ca with 16099 entries
CC_ALLOWF  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
CC_ALLOWF  all opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 8
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  state RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  state RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  reject-with icmp-port-unreachable
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt    in lo out *  ::/0  -> ::/0
ACCEPT  all opt    in * out lo  ::/0  -> ::/0
REJECT  all opt    in * out !lo  ::/0  -> ::/0  reject-with icmp6-port-unreachable
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0

Can someone help me figure out why connections from other countries are still being allowed?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston