Bitcoin Forum
June 25, 2018, 07:10:44 AM *
News: Latest stable version of Bitcoin Core: 0.16.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Odd firewall behavior  (Read 825 times)
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
June 04, 2012, 11:21:30 PM
 #1

I have a firewall rule that automatically blacklists any ipaddress that tries to initiate incoming connections on ports which I am not actively listening for connections. It looks similar to this:
Code:
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m multiport ! --dports 22 -j SET --add-set blacklist src
The thing is, bitcointalk.org periodically ends up in my blacklist ipset. I can browse normally most of the time but every once in a while I notice that the forum won't load and I have to manually remove its address from the blacklist ipset. Is there any reason this should happen?
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
The World's Betting Exchange

Bet with play money. Win real Bitcoin. 5BTC Prize Fund for World Cup 2018.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
1529910644
Hero Member
*
Offline Offline

Posts: 1529910644

View Profile Personal Message (Offline)

Ignore
1529910644
Reply with quote  #2

1529910644
Report to moderator
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3066
Merit: 3205


View Profile
June 05, 2012, 01:12:52 AM
 #2

Is it port 22?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
June 05, 2012, 01:17:41 AM
 #3

Is it port 22?
Unfortunately I don't have a log of the connection attempt that is tripping that rule. I've added a new logging rule but since it hasn't happened again yet I don't know specifically what triggered it. There isn't any good reason for your IP address to ever send me a packet with state NEW, is there?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3066
Merit: 3205


View Profile
June 05, 2012, 01:24:35 AM
 #4

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.

The server should never connect out to port 22.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
June 05, 2012, 01:52:04 AM
 #5

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.
If it happens again I'll keep an eye out for those in the logs.

The server should never connect out to port 22.
Actually the way the rule works is that a connection attempt to port 22 will not result in a blacklisting. The actual rule includes a few other ports for servers that I run. The idea is that random hosts on the internet should not be trying to initiate connections to random ports so any that do can be assumed to be up to no good. I expect connections to port 22 though because sometimes I use SSH from outside this network.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!