I am experiencing that the firewall module v13.0.26 is throwing an error on rfw rule 2 from within the Iptables.class.php code (excerpts below). It looks to me that rule two in the getDefaultRules function is not the same rule that is expected on line 107 where the error is thrown. Is anyone else seeing this?
Error reported:
rfw rule 2 not valid (Is ‘-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource -j fpbxattacker’, should start with ‘-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource’)
THIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.
1462274864: Wall: 'Firewall Rules corrupted! Restarting in 5 seconds
Code excerpts from Iptables.class.php
line 100-114 in public function validateRunning()
$rfw = $current[$i]['filter']['fpbxrfw'];
$rules = $this->getDefaultRules();
// Compare the main 3 rules, that should tell you if the kernel is OK
if (strpos($rfw[1], $rules['fpbxrfw'][1]['other']) === false) {
print "RFW rule 1 not valid (Is '".$rfw[1]."', should start with '".$rules['fpbxrfw'][1]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
return false;
}
if (strpos($rfw[2], $rules['fpbxrfw'][2]['other']) === false) { // line 107
print "rfw rule 2 not valid (Is '".$rfw[2]."', should start with '".$rules['fpbxrfw'][2]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
return false;
}
if (strpos($rfw[3], $rules['fpbxrfw'][3]['other']) === false) {
print "rfw rule 3 not valid (Is '".$rfw[3]."', should start with '".$rules['fpbxrfw'][3]['other']."')\nTHIS MAY BE A KERNEL ISSUE. IF THIS KEEPS OCCURRING REBOOT YOUR MACHINE URGENTLY.\n";
return false;
}
line 1189 - 1217 in private function getDefaultRules()
// To start with, we ensure that we keep track of ALL rfw attempts.
$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name REPEAT --rsource");
// This is purely for displaying the Registered Endpoints
$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name DISCOVERED --rsource");
// Testing against various attack tools suggests that they tend to spam packets,
// even when they are rejected. So, as a simple 'we know you're doing bad things'
// check, if they've sent more than 50 packets in 10 seconds, they're baddies.
// We're just going to block them, and be done with it.
$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource", "jump" => "fpbxattacker");
// Has this IP already been detected as a persistent attacker? They're off to
// the bit bucket.
$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource", "jump" => "fpbxattacker"); // line 1200
// This is the 'short' block, which allows up to 10 packets in 60 seconds,
// before they get clamped. 10 packets is enough to establish and hang up two
// calls, or one with voicemail notification.
$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --rsource", "jump" => "fpbxshortblock");
// Note, this is *deliberately* after the check. Otherwise it'll never time out. We
// want to let them actually attempt to connect, albeit slowly. If they're legitimate,
// their registration will be discovered, and they won't hit here any more. If they're
// an attacker, we want to encourage them to retry so they are blocked quicker.
$retarr['fpbxrfw'][] = array("other" => "-m recent --set --name SIGNALLING --rsource");
// We're a lot less forgiving over the longer term.
//
// If this IP has sent more than 100 signalling requests without success in a 24 hour
// period, we're deeming them as bad guys, and we're not interested in talking to them
// any more.
$retarr['fpbxrfw'][] = array("other" => "-m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource", "jump" => "fpbxattacker");
// OK, hasn't exceeded any rate limiting, good to go, for now.
$retarr['fpbxrfw'][] = array("jump" => "ACCEPT");