Bitcoin Forum
August 18, 2019, 12:08:23 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Odd firewall behavior  (Read 845 times)
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
June 04, 2012, 11:21:30 PM
 #1

I have a firewall rule that automatically blacklists any ipaddress that tries to initiate incoming connections on ports which I am not actively listening for connections. It looks similar to this:
Code:
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m multiport ! --dports 22 -j SET --add-set blacklist src
The thing is, bitcointalk.org periodically ends up in my blacklist ipset. I can browse normally most of the time but every once in a while I notice that the forum won't load and I have to manually remove its address from the blacklist ipset. Is there any reason this should happen?
1566130103
Hero Member
*
Offline Offline

Posts: 1566130103

View Profile Personal Message (Offline)

Ignore
1566130103
Reply with quote  #2

1566130103
Report to moderator
1566130103
Hero Member
*
Offline Offline

Posts: 1566130103

View Profile Personal Message (Offline)

Ignore
1566130103
Reply with quote  #2

1566130103
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3486
Merit: 6042


View Profile
June 05, 2012, 01:12:52 AM
 #2

Is it port 22?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
June 05, 2012, 01:17:41 AM
 #3

Is it port 22?
Unfortunately I don't have a log of the connection attempt that is tripping that rule. I've added a new logging rule but since it hasn't happened again yet I don't know specifically what triggered it. There isn't any good reason for your IP address to ever send me a packet with state NEW, is there?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3486
Merit: 6042


View Profile
June 05, 2012, 01:24:35 AM
Last edit: June 05, 2012, 01:37:44 AM by theymos
 #4

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.

The server should never connect out to port 22.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
June 05, 2012, 01:52:04 AM
 #5

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.
If it happens again I'll keep an eye out for those in the logs.

The server should never connect out to port 22.
Actually the way the rule works is that a connection attempt to port 22 will not result in a blacklisting. The actual rule includes a few other ports for servers that I run. The idea is that random hosts on the internet should not be trying to initiate connections to random ports so any that do can be assumed to be up to no good. I expect connections to port 22 though because sometimes I use SSH from outside this network.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!