Csf firewall blocking IRC networks

rtorrent
quassel
csf-firewall

#1

Having issues with quassel core and also Auto DL in rutorrent when I activate csf.

I can connect to some IRC servers but not others. Also I’m having odd issues connecting into quassel core. If my phone is on wifi it works but not when on 4g.


#2

That’s a Quassel issue. I have heard of others having these same issues… but it was hit or miss on which providers this was related to… not sure why.

Thank you for bringing this to my attention. I just checked and sure enough the IRSSI ports were being generated as per the installer with random port shuffle between ports 2000 and 61000. This should had been marked as IRSSI_PORT=$(shuf -i 20000-61000 -n 1) instead.

Additionally, Quassel cores port :4242 was not whitelisted in the acceptable port range for CSF… thus… das boot.

Here are the appropriate changes I just made, these commits should resolve future installs, however; you will need to do a little manual labor in CSF to correct this. Or do box remove csf then do box upgrade then install CSF once more.


#3

4g vs wifi isn’t a quassel issue when it works fine without CSF installed.


#4

Well, don’t know what to tell you then.

I can access the Quassel server fine from my phone via 4G. As I posted above. Some people have had this issue and some have not. This is in regards with CSF installed as well as Quassel. You have access to the entire code tree, if you would like to look and see since you know this is a definitive QuickBox issue.


#5

I reinstalled csf and having same issues.

on quassel I can’t connect to IRC servers. and Auto DL doesn’t want to connect to any IRC as well.


#6

Can you confirm that your csf.conf template has been updated? It’s located at /etc/csf/. Just to confirm, you did run the update as well with box upgrade to pull these fixes yes?


#7

I did box upgrade and it said it updated 2 files.

where do I find IRSSI_PORT=$(shuf -i 20000-61000 -n 1) in the config file. I searched for it and it wasn’t found.


#8

This is not in the config file for CSF, this is a condition of the install. Try setting these lines to 2000:61000instead of 20000:61000 - you’ll see that specific port range at the end of those lines.

After you add those updates, type csf -r to reload the config with the new rules.


#9

Changing to 2000:61000 fixed my issue with auto DL and connecting to IRC networks on quassel. It also fixed my issue connecting to quassel on 4g.

but I’m wondering whats the point of a firewall if I have this many open ports.


#10

Again, this was implemented from a typo on the installer.

It should had been addressed as 20000:61000 (why open that port range? b/c it’s used for the proper functions of the ports used by rtorrent and irssi.) This is due to the random generator. Guess what though? CSF is a firewall with a GUI… just add in the port you’re using for rtorrent and irrsi and there is no need for the range being as extended as it is. This is merely to find a resolve to your query… not a concrete resolution… so… gearing down now.

Now that we know this is a port issue within the firewall (which we did know, but we must confirm or risk breaking things). Just add in your ports in the given fields within the CSF GUI.


#11

Where do I find what port auto DL is using/

Thanks for the help.


#12

Check in /srv/rutorrent/conf/users/$USERNAME in the file config.php

You should see a line towards the bottom that states $autodlPort = XXXXX;; where XXXXX is the actual port number.

No, thank you for bringing all this up… it’ll make a great Wiki entry for a CSF article. All these little things are things I fail to recall until someone ask the question. :smiley:


#13

So after setting it up with no port range it stopped working again.

Same with quassel… it won’t connect to irc networks again.

Very wierd. It’s like there is some hidden port I need to open.

I did grab the port from the config.php and restarted the firewall service.


#14

is it odd that I can…?

uninstall csf

connect to auto DL correctly. connect to all my IRC servers in quassel correctly

then install csf

and auto DL will continue to work and quassel will continue to be fine on all my irc networks

shouldn’t csf disconnect everything at this point considering the issues I’m having?

If I connect to IRC servers then enable csf it will continue to work fine until I disconnect a channel and try to reconnect.

Of course I could just set everything up and install csf and call it a day. But if I ever need to restart server…or want to add an IRC channel I would have to uninstall csf just to connect then reinstall csf .


#15

No, as these ports were functional and active during the time of installing CSF, it will temporarily white-list them. As soon as the services requesting the non-whitelisted ports are fired, CSF blocks the incoming connections. It’s not as dynamic as one would like it to be.

I don’t follow… why would you have to uninstall and reinstall? Just make the needed changes in the GUI and restart csf. Additionally, you can just as easily stop CSF temporarily with csf -x then to re-enable you type csf -e and to reload the rules csf -r

…Another puzzling thing is why it would block the channels for IRC. These are in no way connected to your server so there should be no block on ports. You could try adding the site/networks SSL and non-SSL IRC ports to the whitelist and see if that helps any.


#16

adding everything to the config file didn’t fix my problem so that’s why I would need to uninstall then reinstall anytime I wanted to add an IRC server connection.

Is there a way to see what CSF is temp whitelisting?

csf -x and csf -e worked at least so I don’t need to uninstall in the future.

Would you suggest leaving the port range of 2000-61000 ? Because that did fix my problem. Otherwise using csf -x and csf -e is what I’ll do.


#17

That’s tough and without you bringing this to my attention, I would had missed this completely. You can leave that port range, however; it is a very broad brush stroke and does open many ports. The good news though is that CSF will alert you for nearly everything under the sun, so you’ll know immediately if something changes or is amiss. The other good news is that the start port range is leaving out the 1900 port for UDP flooding. I would say to just leave it.