Firewall Issues.... STUMPED

I was setting up a firewall from ~~[http://www.securecentos.com/basic-security/install-firewall/" target="_blank">](http://www.securecentos.com/basic-secur … -firewall/">http://www.securecentos.com/basic-security/install-firewall/](

I went through the setup step by step, but web connections on port 80 are being blocked. If I stop the firewall apache seems to work. When started it stops working again.

From my logs…

Feb  2 18:41:27 dev kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=fe:fd:ad:ff:e4:a8:88:43:e1:7c:75:3f:08:00 SRC=184.57.51.14 DST=173.255.228.168 LEN=56 TOS=0x00 PREC=0x00 TTL=113 ID=26865 DF PROTO=TCP SPT=63533 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

I did notice some funky stuff going on when I start the firewall, which im thinking must be the issue.

[[email protected] ~]# /usr/local/sbin/apf --start
: command not foundline 539:
apf(9881): {glob} activating firewall
: command not foundline 539:
: command not foundline 539:
apf(9923): {glob} determined (IFACE_IN) eth0 has address 173.255.228.168
apf(9923): {glob} determined (IFACE_OUT) eth0 has address 173.255.228.168
apf(9923): {glob} loading preroute.rules
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
apf(9923): {resnet} downloading http://rfxn.com/downloads/reserved.networks
apf(9923): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(9923): {glob} loading reserved.networks
apf(9923): {glob} loading bt.rules
apf(9923): {php} downloading http://rfxn.com/downloads/php_list
apf(9923): {php} parsing php_list into /etc/apf/php_hosts.rules
apf(9923): {php} loading php_hosts.rules
apf(9923): {dshield} downloading http://feeds.dshield.org/top10-2.txt
apf(9923): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
apf(9923): {dshield} loading ds_hosts.rules
apf(9923): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso
apf(9923): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(9923): {sdrop} loading sdrop_hosts.rules
apf(9923): {glob} loading common drop ports
apf(9923): {blk_ports} deny all to/from tcp port 135:139
apf(9923): {blk_ports} deny all to/from udp port 135:139
apf(9923): {blk_ports} deny all to/from tcp port 111
apf(9923): {blk_ports} deny all to/from udp port 111
apf(9923): {blk_ports} deny all to/from tcp port 513
apf(9923): {blk_ports} deny all to/from udp port 513
apf(9923): {blk_ports} deny all to/from tcp port 520
apf(9923): {blk_ports} deny all to/from udp port 520
apf(9923): {blk_ports} deny all to/from tcp port 445
apf(9923): {blk_ports} deny all to/from udp port 445
apf(9923): {blk_ports} deny all to/from tcp port 1433
apf(9923): {blk_ports} deny all to/from udp port 1433
apf(9923): {blk_ports} deny all to/from tcp port 1434
apf(9923): {blk_ports} deny all to/from udp port 1434
apf(9923): {blk_ports} deny all to/from tcp port 1234
apf(9923): {blk_ports} deny all to/from udp port 1234
apf(9923): {blk_ports} deny all to/from tcp port 1524
apf(9923): {blk_ports} deny all to/from udp port 1524
apf(9923): {blk_ports} deny all to/from tcp port 3127
apf(9923): {blk_ports} deny all to/from udp port 3127
apf(9923): {pkt_sanity} set active PKT_SANITY
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
apf(9923): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
apf(9923): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
apf(9923): {pkt_sanity} deny all fragmented udp
apf(9923): {pkt_sanity} deny inbound tcp port 0
apf(9923): {pkt_sanity} deny outbound tcp port 0
apf(9923): {blk_p2p} set active BLK_P2P
apf(9923): {blk_p2p} deny all to/from tcp port 1214
apf(9923): {blk_p2p} deny all to/from udp port 1214
apf(9923): {blk_p2p} deny all to/from tcp port 2323
apf(9923): {blk_p2p} deny all to/from udp port 2323
apf(9923): {blk_p2p} deny all to/from tcp port 4660:4678
apf(9923): {blk_p2p} deny all to/from udp port 4660:4678
apf(9923): {blk_p2p} deny all to/from tcp port 6257
apf(9923): {blk_p2p} deny all to/from udp port 6257
apf(9923): {blk_p2p} deny all to/from tcp port 6699
apf(9923): {blk_p2p} deny all to/from udp port 6699
apf(9923): {blk_p2p} deny all to/from tcp port 6346
apf(9923): {blk_p2p} deny all to/from udp port 6346
apf(9923): {blk_p2p} deny all to/from tcp port 6347
apf(9923): {blk_p2p} deny all to/from udp port 6347
apf(9923): {blk_p2p} deny all to/from tcp port 6881:6889
apf(9923): {blk_p2p} deny all to/from udp port 6881:6889
apf(9923): {blk_p2p} deny all to/from tcp port 6346
apf(9923): {blk_p2p} deny all to/from udp port 6346
apf(9923): {blk_p2p} deny all to/from tcp port 7778
apf(9923): {blk_p2p} deny all to/from udp port 7778
apf(9923): {glob} SET_REFRESH is set to 10 minutes
apf(9923): {glob} loading log.rules
apf(9923): {glob} virtual net subsystem disabled.
: command not foundline 539:
apf(9923): {glob} loading main.rules
apf(9923): {glob} opening inbound tcp port 222 on 0/0
apf(9923): {glob} opening inbound icmp type 3 on 0/0
apf(9923): {glob} opening inbound icmp type 5 on 0/0
apf(9923): {glob} opening inbound icmp type 11 on 0/0
apf(9923): {glob} opening inbound icmp type 0 on 0/0
apf(9923): {glob} opening inbound icmp type 30 on 0/0
apf(9923): {glob} opening inbound icmp type 8 on 0/0
apf(9923): {glob} resolv dns discovery for 207.192.69.5
apf(9923): {glob} resolv dns discovery for 97.107.133.4
apf(9923): {glob} resolv dns discovery for 207.192.69.4
apf(9923): {glob} loading postroute.rules
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
apf(9923): {glob} default (egress) output accept
apf(9923): {glob} default (ingress) input drop
apf(9881): {glob} firewall initalized
apf(9881): {glob} fast load snapshot saved
[[email protected] ~]#

I have googled the "Unknown error 4294967295" but really haven't gotten to far, but the ": command not foundline 539:" can't be good either.

Any ideas???

3 Replies

Thanks Hoopy! You are the man.

I had it somewhere else which must have been conflicting…

There were to lines with IGTCPCPORTS….must have had the one with only 222 over writing the one with all the other ports.

Yup, the last one wins. apf's configuration is a shell script, with all the benefits and drawbacks that implies. Including that. :-)

You probably need to add port 80 to either IGTCPCPORTS in your conf.apf or add a line to allow.rules. Look around for "222" and where ever you see that, add a similar entry with 80 :-)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct