Firewall apparently leaking

Nick firehol at acrasis.net
Sun Apr 26 10:35:40 BST 2020 

FireHOL 3.1 on Debian stable.  iptables is symlinked to iptables-legacy.

To block some ip addresses from my web server on port 80, my
firehol.conf uses an ipset:

   interface any world
      ...
      ipv4 ipset create f2b-http hash:ip comment timeout 2147483
      server4 http drop src ipset:f2b-http connlog "f2b-http"
      ...
      server http accept with recent web 10 4
      server http reject connlog "ratelimit http"

(I don't think the last two lines are relevant, but just in case.)

I use fail2ban to add ip addresses to the set, or I can add an ip
address myself from the shell.  I've tested with two outside ipv4
addresses that I have access to.  Both have access to port 80 until I
add the address to the f2b-http set and then they don't.  In addition
to those two, the log file /var/log/ulog/syslogemu.log shows ip
addresses getting blocked, e.g.

   Apr 25 12:13:50 rolly f2b-http: IN=ens3 OUT=
   MAC=... SRC=183.136.225.45 DST=46.235.227.79 LEN=44 TOS=00
   PREC=0x00 TTL=109 ID=9999 PROTO=TCP SPT=23304 DPT=80 SEQ=1425435408
   ACK=0 WINDOW=29200 SYN URGP=0 MARK=0

However, several times a day fail2ban logs a warning that an ip
address is "already banned".  In every case I've checked, the address
*was* in the ipset, i.e. I think fail2ban has operated correctly.  Yet
the address still appears in a request in my web server's log.

For example, 83.97.20.21 made a request to my web server that
triggered a ban.  fail2ban logged "83.97.20.21 already banned".  Bans
have a timeout of 2147483s or 24.8 days.  The ip address was present
in the ipset with 1828358s remaining or 21 days.

The relevant rule generated by firehol appears to be

   DROP_CL3 tcp -- anywhere anywhere match-set f2b-http src !
    update-counters ! update-subcounters tcp spts:1024:65535 dpt:http
    ctstate NEW,ESTABLISHED

I wondered whether the client was using a port below 1024.  I updated
the rule with 'iptables -t filter --replace' to change the source port
range to 1:65535 but "already banned" warnings continue.

What can I check to find out how some ip addresses are apparently
evading the firewall?

Thanks
-- 
Nick

More information about the Firehol-support mailing list