ConfigServer Security & Firewall ON = site not load / time out

websterPL · Jun 14, 2023

Hi, I have DirectAdmin with ConfigServer Security & Firewall - csf v14.18. When I enable firewall, then site wont load (time out). Everything is OK when firewall is disabled. How to fix that problem ? No IP is blocked. The site is not public for now, access only from IP:2222. Should the problem gone when go to public ? Connecting to server after VPN tunnel.

Code:

csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0 
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0 
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0 
DENYIN  all opt    in !lo out *  ::/0  -> ::/0 
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0 
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0 
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0 
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
DROP  all opt    in * out *  ::/0  -> ::/0 
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0 
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0 
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.deny (IPv6)
DROP  tcp opt -- in !lo out *  10.20.0.1  -> 0.0.0.0/0   tcp dpt:80
LOGDROPOUT  tcp opt -- in * out !lo  0.0.0.0/0  -> 10.20.0.1   tcp dpt:80
DROP  tcp opt -- in !lo out *  10.20.0.1  -> 0.0.0.0/0   tcp dpt:443
LOGDROPOUT  tcp opt -- in * out !lo  0.0.0.0/0  -> 10.20.0.1   tcp dpt:443
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading csf.allow (IPv6)
csf: FASTSTART loading csf.allow (IPSET)
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0 
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0 
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0 
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
ACCEPT  all opt    in lo out *  ::/0  -> ::/0 
ACCEPT  all opt    in * out lo  ::/0  -> ::/0 
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0 
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0 
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0 
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0 
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0 
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0 
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0 
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-06-14 10:55:25 UTC; 38ms ago
    Process: 536474 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 536522 (lfd - starting)
      Tasks: 1 (limit: 60091)
     Memory: 27.1M
        CPU: 460ms
     CGroup: /system.slice/lfd.service
             ├─536522 "lfd - starting"
             └─536525 /bin/ip -oneline addr

Jun 14 10:55:24 server-81-219-224-100.da.direct systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jun 14 10:55:25 server-81-219-224-100.da.direct systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled

anay · Jun 21, 2023

After starting csf check.
1. Can you ping server
2. Can you check if port 80 and 443 are open ?

Richard G · Jun 21, 2023

websterPL said:
No IP is blocked.

Also no temp block? Because you can see the csf.deny but the temp deny file is at a totally different location.
How about accessing directly, without the VPN when CSF is on?

websterPL said:
Should the problem gone when go to public ?

That might depend on how you set the site private.

websterPL · Jun 22, 2023

Button "Flush All Blocks" fixed the problem !

Richard G · Jun 22, 2023

Then it probably was a temp block like I said.

If you ever need to check temp blocks again, you can check it here:
var/lib/csf/csf.tempban

ConfigServer Security & Firewall ON = site not load / time out

websterPL

Verified User

anay

Verified User

Richard G

Verified User

websterPL

Verified User

Richard G

Verified User