[BlueOnyx:24556] Re: APF Firewall deletes Whitelist entry

[Meaulnes Legler @ MailList]

thank you Michael

I haven't Fail2ban enabled because I can't restart it (version 0.9.6-4 on 5209R), but Dfix2 that says in /etc/apf/deny_hosts.rules:

# added 84.226.70.22 on 12/02/20 09:39:32 with comment: dFixblock2
84.226.70.22

maybe Dfix2 messed around with the Whitelist...

anyway, the user confessed he's running an NT machine (remember?:-) which is known not to be patched anymore, so I told him to deconnect it from his network.

the log files weren't revealing, just that 84.226.70.22 was whitelisted: apf(23931): {trust IPv4} allow all to/from 84.226.70.22

best regards

で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660

On 04.12.20 17:01, Michael Stauber wrote:
> Hi Meaulnes,
> 
>> • how comes an entry in Allow Host Rules isn't permanent and can get
>> ignored?
>>
>> • how can I find out which device behind this router using that
>> offending IP is abusing the output flow rating? E-mail clients usually
>> list in their outgoing mails the app name and the platform, can I read
>> such data in some APF log?
> 
> Entries in the APF Allow Host Rules are permanent and I don't know how
> these could get lost.
> 
> However, there is a rare race-time issue where Fail2ban might order an
> IP to be blocked and APF will erroneously block it even if the IP has
> been whitelisted. Like said: This is rare, but I have seen it happen. :-/
> 
> If you have Fail2ban, then you might want to go to "Server Management" /
> "Security" / "Fail2ban" and add the whitelisted IP(s) to "Ignore IP's".
> That will make sure Fail2ban doesn't blacklist them at all.
> 
> As for logfiles: /var/log/messages and /var/log/fail2ban.log might shed
> some light on what happened. Just grep these for the IP in question to
> see how, why and when this happened.
>