Home / server / Questions / 375908
In Process
RichardW11
Asked: 2012-04-03 05:58:06 +0800 CST

APF - allow_hosts.rules - Port Ranges [error]

  • 772

I am running into a problem trying to specify that webmin can only be accessed from my private IP. But I can get the port ranges to correctly work. I am using this in the allow_hosts.rules file.

tcp:in:d=10000:s={IP HIDDEN}
tcp:in:d=30000_35000:s={IP HIDDEN}
udp:in:d=30000_35000:s={IP HIDDEN}

The error I get when having those settings are

apf(21256): {trust} allow inbound tcp {IP HIDDEN} to port 10000
apf(21256): {trust} allow inbound tcp {IP HIDDEN} to port 30000-35000
iptables v1.4.7: invalid port/service `30000-35000' specified
Try `iptables -h' or 'iptables --help' for more information.
apf(21256): {trust} allow inbound udp 10.16.149.68 to port 3000-35000
iptables v1.4.7: invalid port/service `3000-35000' specified

The changes that make it work but allow from all IP's are.

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="10000,30000_35000"

# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="30000_35000"

Thanks for any help.

firewall linux iptables

2 Answers

  1. The underscore character defines port ranges in APF. This is true in trust rules as well.

    For example 'tcp:out:d=35100_35300:d=1.2.3.4/24' in allow_hosts.rules would allow outbound ports 35,100 through 35,300 to addresses in 1.2.3.4/24.

    The 'apf -l' output reinforces this post-reload:

    5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            1.2.3.0/24           multiport dports 35100:35300
    • 1

  2. In my experience, I have been unable to get port ranges to work in the allow_hosts.rules file, only the apf.conf file. However, I have not been able to find any documentation that confirms this.

    • 0