Package: apf-firewall Version: 9.7+rev1-5 Severity: normal Dear Maintainer,
thanks for the time you make available for maintaining packages in Debian. I just had an issue in apf-firewall I hopefully expressed understandably below. * What led up to the situation? I got a report that someone could only access my website via his mobile phone, not via his landline internet access. After switching off apf-firewall access was possible, further investigation revealed a conceptional mistake. * What exactly did you do (or not do) that was effective (or ineffective)? Added the IP address directly to the allow hosts. * What was the outcome of this action? Access to website was restored, then went on to hunt rules which triggered with the orignal rulesets. Found the source rule in bt.rules and went and deactivated PKT_SANITY_STUFFED. Not every 0.0.0.255 is a broadcast, and even .191, .127 or .63 may be, why not also block those? * What outcome did you expect instead? Not to block 0.0.0.255 as you can't tell how the provider uses a big allocation like 92.252.0.0/17AS15747 for his customers. netnum: 92.252.8.0 - 92.252.111.255 With kind regards Peter -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apf-firewall depends on: ii iproute 1:4.9.0-1+deb9u1 ii iptables 1.6.0+snapshot20161117-6 ii lsb-base 9.20161125 ii wget 1.18-5+deb9u2 apf-firewall recommends no packages. apf-firewall suggests no packages. -- Configuration Files: /etc/apf-firewall/allow_hosts.rules changed: 92.252.xx.255 /etc/apf-firewall/conf.apf changed: DEVEL_MODE="0" INSTALL_PATH="/etc/apf-firewall" IFACE_IN="eth0" IFACE_OUT="eth0" IFACE_TRUSTED="" SET_VERBOSE="1" SET_FASTLOAD="0" SET_VNET="0" SET_ADDIFACE="0" SET_MONOKERN="0" SET_REFRESH="30" SET_TRIM="150" VF_ROUTE="1" VF_CROND="1" VF_LGATE="" RAB="1" RAB_SANITY="1" RAB_PSCAN_LEVEL="2" RAB_HITCOUNT="1" RAB_TIMER="300" RAB_TRIP="1" RAB_LOG_HIT="1" RAB_LOG_TRIP="0" TCP_STOP="RESET" UDP_STOP="RESET" ALL_STOP="DROP" PKT_SANITY="1" PKT_SANITY_INV="1" PKT_SANITY_FUDP="1" PKT_SANITY_PZERO="1" PKT_SANITY_STUFFED="0" TOS_DEF="0" TOS_DEF_RANGE="512:65535" TOS_0="" TOS_2="" TOS_4="" TOS_8="80,443" TOS_16="25,110,143,22" TCR_PASS="1" TCR_PORTS="33434:33534" ICMP_LIM="30/s" RESV_DNS="1" RESV_DNS_DROP="1" BLK_P2P_PORTS="" BLK_PORTS="111,135_139,445,513,520,1234,1433,1434,1524,3127" BLK_MCATNET="1" BLK_PRVNET="1" BLK_RESNET="1" BLK_IDENT="1" SYSCTL_CONNTRACK="34576" SYSCTL_TCP="1" SYSCTL_SYN="1" SYSCTL_ROUTE="1" SYSCTL_LOGMARTIANS="1" SYSCTL_ECN="1" SYSCTL_SYNCOOKIES="1" SYSCTL_OVERFLOW="0" HELPER_SSH="1" HELPER_SSH_PORT="22" HELPER_FTP="0" HELPER_FTP_PORT="21" HELPER_FTP_DATA="20" IG_TCP_CPORTS="22,25,465,587,80,443,993,995,1011,30033" IG_UDP_CPORTS="9987" IG_ICMP_TYPES="3,5,11,0,30,8" EGF="0" EG_TCP_CPORTS="21,25,80,443,43" EG_UDP_CPORTS="20,21,53" EG_ICMP_TYPES="all" EG_TCP_UID="" EG_UDP_UID="" EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" DLIST_PHP="1" DLIST_PHP_URL="rfxn.com/downloads/php_list" DLIST_PHP_URL_PROT="http" DLIST_SPAMHAUS="1" DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso" DLIST_SPAMHAUS_URL_PROT="http" DLIST_DSHIELD="1" DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt" DLIST_DSHIELD_URL_PROT="http" DLIST_RESERVED="1" DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks" DLIST_RESERVED_URL_PROT="http" DLIST_ECNSHAME="0" DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst" DLIST_ECNSHAME_URL_PROT="http" USE_RGT="0" GA_URL="yourhost.com/glob_allow.rules" GA_URL_PROT="http" GD_URL="yourhost.com/glob_deny.rules" GD_URL_PROT="http" LOG_DROP="0" LOG_LEVEL="crit" LOG_TARGET="LOG" LOG_IA="1" LOG_LGATE="0" LOG_EXT="0" LOG_RATE="30" LOG_APF="/var/log/apf_log" CNFINT="$INSTALL_PATH/internals/internals.conf" . $CNFINT /etc/default/apf-firewall changed: RUN="yes" -- no debconf information