Update blocked by firewall

I cannot update unless firewall is disabled.  I have whitelisted my IP and that does not fix the problem.  This has been a problem for a few years.  What is the problem.

Code: [Select]

/usr/sbin/csf -f


crontab?

crontab?

Nothing to do with it, as is whitelisting your own IP.

Flusing didnt work either.  Odd that killing csf will fix the problem.

Insufficient information for a proper analysis - perhaps an entry in CC_DENY.
Principal debugging method..

Code: [Select]

tail -f /var/log/messagesIn another shell..

Code: [Select]

/scripts/update_cwpswitch back to messages.

ah  what is the culprit country

thats me

Jan 24 14:43:30 server systemd: Started Session 11041 of user fsdfsf.
Jan 24 14:43:30 server systemd-logind: New session 11041 of user sdfffs.
Jan 24 14:43:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c                                                                                                                     :91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=198.108.67.45 DST=45.33.10.132 LEN=40 T                                                                                                                     OS=0x00 PREC=0x00 TTL=42 ID=34384 PROTO=TCP SPT=18673 DPT=2555 WINDOW=1024 RES=0                                                                                                                     x00 SYN URGP=0
Jan 24 14:43:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c:91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=66.70.188.152 DST=45.33.10.132 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55858 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 14:43:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c                                                                                                                     :91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=198.108.67.45 DST=45.33.10.132 LEN=40 T                                                                                                                     OS=0x00 PREC=0x00 TTL=42 ID=34384 PROTO=TCP SPT=18673 DPT=2555 WINDOW=1024 RES=0                                                                                                                     x00 SYN URGP=0
Jan 24 14:43:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c:91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=66.70.188.152 DST=45.33.10.132 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55858 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0

is there an ip I can whitelist for update.?

CC_ALLOW_FILTER = "US,IR,IE,DE,ZA,CU,MX,GB,CA"

Can't see anything obvious there, with that short messages snippet. Port 2555 is undefined, so heck knows what worker-17.sfj.corp.censys.io is trying to achieve.

I NEVER use a CC_ALLOW_FILTER and highly advise against it. I do however use CC_DENY with a long list, along with ipset.
My typical use below but your target market(s) will be different:

CC_DENY = "RU,CN,TH,TW,IL,SG,AG,RO,SC,MX,BR"

I suggest you save your current csf profile, reset csf to the defaults, then load the high_protection profile, as a starting point.

Code: [Select]

csf -h gives your the profile/reset options.

As is typical and crazily ridiculous /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php (which runs during an update) is ioncube encoded, so I can't debug any further.

 

After I deleted the cc allow filter the upgrade worked.  So, I need the CC that is used for update or preferably and IP address to whitelist.

I used cc allow filter because that is what csf recommends.

# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped

Well, I have been using CSF for over a decade and *nix for about three, so must know sod all. 
At least you're back working.

You only read what you want to see.. (my emphasis)

# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use

IMHumbleO, same applies to CC_ALLOW_FILTER, unless you know precisely what you are doing and the implications. IMO, it ain't worth the hassle.

I still need an update IP address to whitelist.  If the country is NL, I surely dont want to let everyone in NL to access my server.

You're welcome, BTW. 

I surely dont want to let everyone in NL to access my server.

..and that is what the firewall will do anyway. Too many port scans, for example, and they'll be blocked.
The obvious thing to do is add NL to CC_DENY and see if the update still works. If it doesn't then you'll need a plan B or C. (You'll get many more attacks from the countries that I deny, as well as USA!)