[7.075] Missing AUTO_OUTPUT rules for sp_updater [CONFIRMED]

I was wondering about some drops in the live log. [:)]

Every hour the firewall tries to connect to 213.144.15.6, 212.126.221.9, 69.10.147.75 on Port 80 and Port 6000. These packets were dropped by fwrule=60003 (see attachement).

In my opinion these server belong to the surf protection or am I wrong ?

ciao
Claus

Parents

0 firewalker over 17 years ago

I was wondering about some drops in the live log. [:)]

Every hour the firewall tries to connect to 213.144.15.6, 212.126.221.9, 69.10.147.75 on Port 80 and Port 6000. These packets were dropped by fwrule=60003 (see attachement).

In my opinion these server belong to the surf protection or am I wrong ?

ciao
Claus

60003 is the last LOGDROP in the chain OUTPUT, and the IPs you are referring to are the Surf Protection Check Servers (see /var/chroot-cffd/etc/sp_servers.conf). It seems that some rules are missing in the chain AUTO_OUTPUT. Compared to 7.011 these  two entries are missing:

CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:80 OWNER CMD match sp_updater CONFIRMED
CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:6000 OWNER CMD match sp_updater CONFIRMED

while these two are the same on 7.011

CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:80 OWNER CMD match httpproxy CONFIRMED
CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:6000 OWNER CMD match httpproxy CONFIRMED

Seems to be a BUG, and somebody forgot to add the rules for sp_updater :-))
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 firewalker over 17 years ago

I was wondering about some drops in the live log. [:)]

Every hour the firewall tries to connect to 213.144.15.6, 212.126.221.9, 69.10.147.75 on Port 80 and Port 6000. These packets were dropped by fwrule=60003 (see attachement).

In my opinion these server belong to the surf protection or am I wrong ?

ciao
Claus

60003 is the last LOGDROP in the chain OUTPUT, and the IPs you are referring to are the Surf Protection Check Servers (see /var/chroot-cffd/etc/sp_servers.conf). It seems that some rules are missing in the chain AUTO_OUTPUT. Compared to 7.011 these  two entries are missing:

CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:80 OWNER CMD match sp_updater CONFIRMED
CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:6000 OWNER CMD match sp_updater CONFIRMED

while these two are the same on 7.011

CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:80 OWNER CMD match httpproxy CONFIRMED
CONFIRMED  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spts:1:65535 dpt:6000 OWNER CMD match httpproxy CONFIRMED

Seems to be a BUG, and somebody forgot to add the rules for sp_updater :-))
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BrucekConvergent over 17 years ago in reply to firewalker

Not exactly a new bug -- but I have seen this in V6 and V7 production installs before, had to manually add packet filters to allow surf protection to work .. but a bug nonetheless.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

[7.075] Missing AUTO_OUTPUT rules for sp_updater [CONFIRMED]

Submitted a Tech Support Case lately from the Support Portal?