Firewall v13.0.26 reporting Firewall Rules corrupted

bha2583 · May 3, 2016, 2:04pm

I am experiencing that the firewall module v13.0.26 is throwing an error on rfw rule 2 from within the Iptables.class.php code (excerpts below). It looks to me that rule two in the getDefaultRules function is not the same rule that is expected on line 107 where the error is thrown. Is anyone else seeing this?

Error reported:
rfw rule 2 not valid (Is ‘-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource -j fpbxattacker’, should start with ‘-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource’)
THIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.
1462274864: Wall: 'Firewall Rules corrupted! Restarting in 5 seconds

Code excerpts from Iptables.class.php

line 100-114 in public function validateRunning()

		$rfw = $current[$i]['filter']['fpbxrfw'];
		$rules = $this->getDefaultRules();
		// Compare the main 3 rules, that should tell you if the kernel is OK
		if (strpos($rfw[1], $rules['fpbxrfw'][1]['other']) === false) {
			print "RFW rule 1 not valid (Is '".$rfw[1]."', should start with '".$rules['fpbxrfw'][1]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
			return false;
		}
	        if (strpos($rfw[2], $rules['fpbxrfw'][2]['other']) === false) {  // line 107
			print "rfw rule 2 not valid (Is '".$rfw[2]."', should start with '".$rules['fpbxrfw'][2]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
			return false;
		}
		if (strpos($rfw[3], $rules['fpbxrfw'][3]['other']) === false) {
			print "rfw rule 3 not valid (Is '".$rfw[3]."', should start with '".$rules['fpbxrfw'][3]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
			return false;
		}

line 1189 - 1217 in private function getDefaultRules()

            // To start with, we ensure that we keep track of ALL rfw attempts.
	$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name REPEAT --rsource");
	// This is purely for displaying the Registered Endpoints
	$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name DISCOVERED --rsource");
	// Testing against various attack tools suggests that they tend to spam packets,
	// even when they are rejected.  So, as a simple 'we know you're doing bad things'
	// check, if they've sent more than 50 packets in 10 seconds, they're baddies.
	// We're just going to block them, and be done with it.
	$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource", "jump" => "fpbxattacker");
	// Has this IP already been detected as a persistent attacker? They're off to
	// the bit bucket.
         $retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource", "jump" => "fpbxattacker");   // line 1200
	// This is the 'short' block, which allows up to 10 packets in 60 seconds,
	// before they get clamped. 10 packets is enough to establish and hang up two
	// calls, or one with voicemail notification.
	$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --rsource", "jump" => "fpbxshortblock");
	// Note, this is *deliberately* after the check. Otherwise it'll never time out. We
	// want to let them actually attempt to connect, albeit slowly. If they're legitimate,
	// their registration will be discovered, and they won't hit here any more. If they're
	// an attacker, we want to encourage them to retry so they are blocked quicker.
	$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name SIGNALLING --rsource");
	// We're a lot less forgiving over the longer term.
	//
	// If this IP has sent more than 100 signalling requests without success in a 24 hour
	// period, we're deeming them as bad guys, and we're not interested in talking to them
	// any more.
	$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource", "jump" => "fpbxattacker");
	// OK, hasn't exceeded any rate limiting, good to go, for now.
	$retarr['fpbxrfw'][] = array("jump" => "ACCEPT");

ris2 · May 4, 2016, 2:21am

Ben - we’re having the exact same issue after updating the firewall to 13.0.26. Multiple reboots (as the error suggests) did not resolve it.

rfw rule 2 not valid (Is '-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource -j fpbxattacker', should start with '-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource') THIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY. 1462328420: Wall: 'Firewall Rules corrupted! Restarting in 5 seconds

ris2 · May 4, 2016, 2:32am

If the info helps any, this was an upgrade from 13.0.24 to 13.0.26.

A rollback to 13.0.25 stopped the alerts. I did a reboot after the rollback for good measure. Uptime @ 8 minutes and no more alerts.

bha2583 · May 4, 2016, 2:55am

Billy- Thanks for the confirmation. I too started getting the alerts when upgrading from 13.0.25 -> 13.0.26. Where did you download the 13.0.25 version from? I would like to try downgrading as well.
Thanks,
Ben

ris2 · May 4, 2016, 4:11am

In Module Admin, click Check Online, expand System Firewall. There will be a Previous button under Changelog, then click Rollback next to the version you want.

xrobau · May 4, 2016, 4:42am

Those numbers are correct. Can someone who’s experencing this error please paste the entire contents of their firewall log somewhere?

A handy way to do that is this:

cat /etc/firewall.log | curl -F 'sprunge=<-' http://sprunge.us

That’ll output a link that you can paste here.

bha2583 · May 4, 2016, 12:06pm

Billy, Thanks, totally missed the fact the previous link was sitting right there all this time. I am somewhat new to FreePBX.

Rob, I uploaded the firewall log, btw, the file I uploaded was /tmp/firewall.log. No log file in /etc.

Link http://sprunge.us/Ijcb

Thanks,
Ben

bha2583 · May 4, 2016, 12:38pm

Billy, I was able to rollback to 13.0.25 and longer seeing the errors and restarts, Thanks!

xrobau · May 4, 2016, 6:17pm

Bugger, that was a typo on my behalf.

However, the error is correct! Your machine is erroring when it tries to add the rules:

1462363123: /sbin/iptables -A fpbxrfw -m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource -j fpbxattacker
iptables: Invalid argument. Run `dmesg' for more information.

This means the ipt_recent module isn’t working properly, and your machine needs a reboot.

bha2583 · May 4, 2016, 7:31pm

Rob, My server (which is a managed VM) has been re-booted several times with no change in the error being reported by the FreePBX module. Can you point in the direction to investigate the kernel ipt_recent module? I am not sure what to look for.

Thank you,
Ben

xrobau · May 4, 2016, 7:32pm

I’d have a look at dmesg, like it says

bha2583 · May 5, 2016, 3:43pm

Rob, Thank you for you help. In my case dmesg logs are empty. I contacted my VM provider and they have indicated they cannot support the ipt_recent kernel module in the provided VM. Looks like I will be trying to work with them to get this figured out.

xrobau · May 6, 2016, 3:20am

Well, it’s ipt_recent or xt_recent, it auto-detects which one the machine uses.

But it sounds a LOT like this is an OpenVZ-ish machine. I need to figure out a way to make rfw inaccessable but still let you use SOME of it.

I strongly recommend you use a proper hosting partner. Not just because they sling us a few dollars when you sign up, but you won’t have these problems.

bha2583 · May 6, 2016, 11:56am

Rob, You are exactly correct. They are using OpenVZ. They are a top SIP provider in the US and are in motion to move the VM off of OpenVZ to a more suitable VM platform (don’t know what that is yet). I am told it will be several months before they migration will take place. Thanks for all of your help. And please point me to your preferred providers, I would like to review. it may be time to move.
Thank you