0

I'm having a Ubuntu 14.04 server which has a TomCat installation listening on port 8080. I installed CSF today.

Following is netstat -tulpn

tcp6       0      0 :::8080                 :::*                    LISTEN      8278/java

This is my IPV6 part of csf.conf

    # Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8080"

# Allow outgoing TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,993,995,8080"

# Allow incoming UDP ports
UDP6_IN = "20,21,53,8080"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP6_OUT = "20,21,53,113,123,8080"

Following is the csf -p output

8080/tcp   -/6  -     (8278/root)          /usr/lib/jvm/java-7-openjdk-amd64/bi... /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java

I have restarted csf with csf -r but i cannot connect to port 8080. There are no related error messages on lfd.log and if I diable csf I can connect to TomCat instance running on 8080.

What may be causing this and how to open port 8080 through CSF.

Thank you

Cha0s
  • 2,432
  • 2
  • 15
  • 26
SriKolla
  • 11
  • 2
  • I presume you are trying to connect via IPv6 to port 8080, correct? Because your csf -p output shows that port 8080 is open only for IPv6. – Cha0s Jan 24 '15 at 17:07
  • Yes trying to connect to port 8080 via IPv6 – SriKolla Jan 24 '15 at 17:09
  • It's a long shot, but is it possible your IPv6 Address is listed on `/etc/csf/csf.deny` thus blocking your requests when CSF is running? – Cha0s Jan 24 '15 at 17:11
  • Hi, thanx. I rechecked my csf.deny and it does not contain my ip or not even one from my country :( – SriKolla Jan 24 '15 at 17:14
  • What's the output of `ip6tables -L -v -n | grep "dpt:8080"` ? – Cha0s Jan 24 '15 at 17:18
  • ` 0 0 ACCEPT tcp !lo * ::/0 ::/0 state NEW tcp dpt:8080 0 0 ACCEPT udp !lo * ::/0 ::/0 state NEW udp dpt:8080 0 0 ACCEPT tcp * !lo ::/0 ::/0 state NEW tcp dpt:8080 0 0 ACCEPT udp * !lo ::/0 ::/0 state NEW udp dpt:8080 ` – SriKolla Jan 24 '15 at 17:29
  • Ok that's strange. The ports seem to be open at the iptables level. None of which have counted any bytes/packets. Maybe there are some other rules before those that block the requests? I am out of ideas :( – Cha0s Jan 24 '15 at 17:33
  • Yeah :( other thing that confuses me is everything comes to normal when I disble csf – SriKolla Jan 24 '15 at 17:35
  • even if you do: "csf -x" then "csf -uf" ? – ADM Jan 24 '15 at 20:09
  • Hi, thank you. csf -uf made port 8080 accessible. Now the issue is even if i remove port 8080 from csf.conf IPv6 config, the ports are still accessible. If I want to block a port which was previously allowed, not removing it from csf.conf and then do csf -r is not enough or do I have to use csf -d for that.. – SriKolla Jan 24 '15 at 20:40
  • `csf -x` completely disabled the firewall that's why you can access port 8080 even if it's removed from the allowed ports list. `csf -uf` forced an update on CSF/LFD. You can enable csf by running `csf -e` With `csf -r` you restart the firewall. With `csf -d` IP you can block an **IP address** (not ports). I don't understand the question. You want to block an allowed port without removing it from the allowed ports list? Doesn't make much sense to me. – Cha0s Jan 24 '15 at 22:18
  • Sorry, the issue was once I ran csf -uf, I was able to connect through all the ports I mentioned before. To test whether it really worked I removed port 8080 from IPv6 section csf.conf and restarted with csf -r. But even after removing port 8080 from csf.conf I could still connect to 8080 without any issue. I wanted to know how that happened. – SriKolla Jan 25 '15 at 09:03

0 Answers0