IPFW: IP blocked, but still can get in

apple.stackexchange https://apple.stackexchange.com/questions/66756

  •  29-12-2020
  •  | 
  •  

Question

I am using Fail2Ban to dynamically add rules to IPFW. The offending IP addresses are added into IPFW, but for some unknown reasons they can still get through to Apache and make requests.

Is it because the ordering is ruined? Should the dynamic rules >12407 be placed before 12304, 12305?

  • 00001 allow udp from any 626 to any dst-port 626
  • 01000 allow ip from any to any via lo0
  • 12300 allow tcp from any to any established
  • 12301 allow tcp from any to any out
  • 12302 allow udp from any to any out keep-state
  • 12303 allow udp from any to any in frag
  • 12304 allow tcp from any to any dst-port 80
  • 12305 allow tcp from any to any dst-port 443
  • 12306 allow tcp from any to any dst-port 5113
  • 12307 allow ip from 192.168.0.0/16 to any
  • 12407 deny tcp from 94.23.148.61 to 192.168.1.3 dst-port 80,443
  • 65535 allow ip from any to any
Was it helpful?

Solution

It is because rules are followed from top to bottom. As soon as the first matching rules is found, further rule processing stops.

In this case there is first the allow rule (12304 allow tcp from any to any dst-port 80) and later the deny rule (12407 deny tcp from 94.23.148.61 to 192.168.1.3 dst-port 80,443).

To fix this: either place the deny rule above the allow rule for port 80 and 442 (number < 12304) or place the allow rules for port 80 and 443 below the deny rules (f.e. at 65533 and 65534).

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top