Bitcoin Forum
December 03, 2016, 08:01:02 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Odd firewall behavior  (Read 778 times)
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 04, 2012, 11:21:30 PM
 #1

I have a firewall rule that automatically blacklists any ipaddress that tries to initiate incoming connections on ports which I am not actively listening for connections. It looks similar to this:
Code:
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m multiport ! --dports 22 -j SET --add-set blacklist src
The thing is, bitcointalk.org periodically ends up in my blacklist ipset. I can browse normally most of the time but every once in a while I notice that the forum won't load and I have to manually remove its address from the blacklist ipset. Is there any reason this should happen?
1480795262
Hero Member
*
Offline Offline

Posts: 1480795262

View Profile Personal Message (Offline)

Ignore
1480795262
Reply with quote  #2

1480795262
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480795262
Hero Member
*
Offline Offline

Posts: 1480795262

View Profile Personal Message (Offline)

Ignore
1480795262
Reply with quote  #2

1480795262
Report to moderator
1480795262
Hero Member
*
Offline Offline

Posts: 1480795262

View Profile Personal Message (Offline)

Ignore
1480795262
Reply with quote  #2

1480795262
Report to moderator
1480795262
Hero Member
*
Offline Offline

Posts: 1480795262

View Profile Personal Message (Offline)

Ignore
1480795262
Reply with quote  #2

1480795262
Report to moderator
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 05, 2012, 01:12:52 AM
 #2

Is it port 22?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 01:17:41 AM
 #3

Is it port 22?
Unfortunately I don't have a log of the connection attempt that is tripping that rule. I've added a new logging rule but since it hasn't happened again yet I don't know specifically what triggered it. There isn't any good reason for your IP address to ever send me a packet with state NEW, is there?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
June 05, 2012, 01:24:35 AM
 #4

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.

The server should never connect out to port 22.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 01:52:04 AM
 #5

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.
If it happens again I'll keep an eye out for those in the logs.

The server should never connect out to port 22.
Actually the way the rule works is that a connection attempt to port 22 will not result in a blacklisting. The actual rule includes a few other ports for servers that I run. The idea is that random hosts on the internet should not be trying to initiate connections to random ports so any that do can be assumed to be up to no good. I expect connections to port 22 though because sometimes I use SSH from outside this network.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!