XaF / qolsysgw

Qolsys IQ Panel 2+ gateway to an Home Assistant Alarm Control Panel
MIT License
130 stars 13 forks source link

Qolsys Firewall/iptables prevents connections #33

Open Pablo1 opened 1 year ago

Pablo1 commented 1 year ago

I'll add details when I can reproduce this reliably. After restarting home-assistant the Qolsys panels blocks requests until the panel is rebooted. This doesn't happen every time and this is what gets logged:

appdaemon.log.1:ConnectionRefusedError: [Errno 111] Connect call failed ('192.168.40.35', 12345)

There was a discussion about this over in the home assistant community forums: https://community.home-assistant.io/t/qolsys-iq-panel-2-and-3rd-party-integration/231405/36. Seems like it's related to rate limiting.

XaF commented 1 year ago

I realized I've had similar troubles while developing, but never while using it in production. Did you have to restart AppDaemon multiple times? It shouldn't be related to Home Assistant itself, except if your AppDaemon is handled by Home Assistant!

Copying the message you linked here just in case: (from mzac)

This is the iptables settings on the Qolsys panel. Some good clues here! You will also notice they have set rate limiting.

I found it in the firmware under: /system/etc/init.qolsys.iptables.sh

IPTABLES="/system/bin/iptables -w"
IP6TABLES="/system/bin/ip6tables -w"

#definitions
LINKLOCAL_INF="lo"
DEF_WAN_INF="wlan0"
DEF_LAN_INF="p2p0"
DEF_ETH_INF="eth0"

# Protocol to Port Definition
HTTP="80"
HTTP_ALT="8080"
HTTP_SERV="8448"
HTTPS="443"
HTTPS_CUSTOM="8443"
DNS="53" #TCP and UDP
PHIGH="2000:65535"
NTP="123" #TCP and udp
SSDP="1900" #TCP and UDP
RIP="520" #UDP
DHCP="67:68" #TCP and UDP
ISAKMP1="500" #TCP and UDP
ISAKMP2="2500" #TCP and UDP
ESP_IP_PROTO="50" # ip protocol number for ESP
AH_IP_PROTO="51" # ip protocol number for AH
IDENT="123" #TCP only
L2TP="1701" # TCP and UDP
PPTP="1723" # TCP and UDP
OPENVPN="1194" # TCP and UDP
GRE_IP_PROTO="47" # ip protocol number for GRE
SYSLOG="514" #UDP
MQTT1="1883" #TCP and UDP
MQTT2="8883" #TCP
MQTT3="8884" #TCP
MQTT4="8081" #TCP
DTLS="4433"  #UDP
STUN_ON_DTLS="5349"  #UDP
RDP="" #Remote Desktop Protocol
ADB="5554:5557" #Android Debugging
FTP="20:21" #TCP #FTP for upgrade
SNMP="161:162" #TCP and UDP
SNMP_S="10161:10162" #TCP
SIP="5060:5070" #TCP and UDP. SIP and RTP
RTSP="554" #TCP and UDP
DTLS_1="59595"
LSOCK="21239"
SRF="9910,9920,9930,9940,9950,9990"
ZWAVE="1900"

#table shortcuts
RAW_TABLE="-t raw"
MANGLE_TABLE="-t mangle"
NAT_TABLE="-t nat"

#the below are commented out since they delete android rules
#======================================================
# Cleanup and Initialization of Tables and Chains
#$IPTABLES -F
#$IPTABLES -t mangle -F
#$IPTABLES -t nat -F
#$IPTABLES -t raw -F

#Deleting user defined chains
#$IPTABLES -X
#$IPTABLES -t mangle -X
#$IPTABLES -t nat -X
#$IPTABLES -t raw -X
#========================================================

# Policy Setup for system chains

$IPTABLES -P FORWARD ACCEPT 
$IPTABLES -P OUTPUT ACCEPT

#ADC Rules in the beginning
$IPTABLES -N ADC_CELL_OUT #this is expected to fail on second creation since not allowed to cleanup in non-boot time
$IPTABLES -I OUTPUT 1 -o rmnet+ -j ADC_CELL_OUT #putting this in top of output chain as requested 
$IP6TABLES -N ADC_CELL_OUT #this is expected to fail on second creation since not allowed to cleanup in non-boot time
$IP6TABLES -I OUTPUT 1 -o rmnet+ -j ADC_CELL_OUT #putting this in top of output chain

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P INPUT ACCEPT

#Creating User-Defined Chains

$IPTABLES -N IANA_IPs
$IPTABLES -N SYN_FLOOD
$IPTABLES -N HTTP_S_IN
$IPTABLES -N HTTP_S_OUT
$IPTABLES -N ICMP_ALLOWED
$IPTABLES -N ICMP_FLOOD_DROP
$IPTABLES -N ICMP_ECHO_DROP
$IPTABLES -N UNPREV_PORTS
$IPTABLES -N UDP_FLOOD
$IPTABLES -N TCP_ATTACKS_FILTER
$IPTABLES -N TCP_ALLOWED_IN
$IPTABLES -N UDP_ALLOWED_IN
$IPTABLES -N TCP_HANDLE_IN_FILTER
$IPTABLES -N UDP_HANDLE_IN_FILTER
$IPTABLES -N ICMP_HANDLE_IN_FILTER
$IPTABLES -N MOBILE_DATA_OUT
$IPTABLES -N LAN_ZONE_INPUT
$IPTABLES -N WAN_ZONE_FORWARD
$IPTABLES -N INPUT_CONTROL
$IPTABLES -N IF_SPEC_DROP
$IPTABLES -N RMNET_OUT_FILTER

$IPTABLES -t raw -N TCP_ATTACKS_RAW
$IPTABLES -t raw -N CHARGEN_ATTACK

#Populating user Defined chains with static rules

$IPTABLES -A IANA_IPs -s 0.0.0.0 -i wlan0 -p udp --dport 67:68 -m limit --limit 25/s --limit-burst 50 -j ACCEPT #p2p0 are accepted anyway. 
$IPTABLES -A IANA_IPs -s 0.0.0.0/7 -j DROP
$IPTABLES -A IANA_IPs -s 100.64.0.0/10 -j DROP
$IPTABLES -A IANA_IPs -s 127.0.0.0/8 -j DROP
$IPTABLES -A IANA_IPs -s 169.254.0.0/16 -j DROP
$IPTABLES -A IANA_IPs -s 192.0.0.0/29 -j DROP 
$IPTABLES -A IANA_IPs -s 192.0.2.0/24 -j DROP 
$IPTABLES -A IANA_IPs -s 192.88.99.0/24 -j DROP 
$IPTABLES -A IANA_IPs -s 198.18.0.0/15 -j DROP
$IPTABLES -A IANA_IPs -s 198.51.100.0/24 -j DROP 
$IPTABLES -A IANA_IPs -s 203.0.113.0/24 -j DROP 
$IPTABLES -A IANA_IPs -s 224.0.0.0/4 -j DROP 
$IPTABLES -A IANA_IPs -s 240.0.0.0/4 -j DROP 
$IPTABLES -A IANA_IPs -s 255.255.255.255/32 -j DROP

$IPTABLES -A SYN_FLOOD -m limit --limit 4/s --limit-burst 6 -j RETURN
$IPTABLES -A SYN_FLOOD -j DROP

$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ALL NONE -j DROP # No Flags set
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ALL ALL -j DROP # ALL flags set
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP # both SYN and FIN set
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # both SYN and RST set
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # both RST and FIN set
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN is set without ACK
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ACK,URG URG -j DROP # URG is set without ACK
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ACK,PSH PSH -j DROP # PSH is set without ACK
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP # X-Mas attack
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags ALL SYN,FIN,URG,PSH -j DROP # Nmap OS fingerprinting
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags RST RST -m limit --limit 10/s --limit-burst 20 -j RETURN # Smurf RST flood
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags RST RST -j DROP # Smurf RST flood                                       
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags URG URG -m limit --limit 10/s --limit-burst 20 -j RETURN # Smurf RST flood
$IPTABLES $RAW_TABLE -A TCP_ATTACKS_RAW -p tcp --tcp-flags URG URG -j DROP # Smurf RST flood

$IPTABLES $RAW_TABLE -A CHARGEN_ATTACK -p udp --sport 19 -j DROP # CHARGEN ATTACK

$IPTABLES -A TCP_ATTACKS_FILTER -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP # Bad SYN Request
$IPTABLES -A TCP_ATTACKS_FILTER -p tcp ! --syn -m state --state NEW -j DROP # New Connection without SYN
$IPTABLES -A TCP_ATTACKS_FILTER -p tcp -f -m state --state NEW -j DROP # fragment attack

$IPTABLES -A HTTP_S_IN -p tcp --dport $HTTPS -m limit --limit 500/s --limit-burst 750 -j ACCEPT # HTTPS Flood
$IPTABLES -A HTTP_S_IN -p tcp --dport $HTTP -m limit --limit 50/s --limit-burst 100 -j ACCEPT # HTTP Flood
$IPTABLES -A HTTP_S_IN -p tcp --dport $HTTP_ALT -m limit --limit 50/s --limit-burst 100 -j ACCEPT # HTTP Flood
$IPTABLES -A HTTP_S_IN -p tcp --syn --dport $HTTP_SERV -m connlimit --connlimit-above 15 -j DROP # Slowloris
$IPTABLES -A HTTP_S_IN -p tcp --dport $HTTP_SERV -m limit --limit 50/s --limit-burst 100 -j ACCEPT # HTTP Flood
$IPTABLES -A HTTP_S_IN -p tcp --syn --dport $MQTT2 -m connlimit --connlimit-above 15 -j DROP # Slowloris

$IPTABLES -A HTTP_S_OUT -p tcp --dport $HTTPS -j ACCEPT
$IPTABLES -A HTTP_S_OUT -p tcp --dport $HTTP -j ACCEPT
$IPTABLES -A HTTP_S_OUT -p tcp --dport $HTTP_ALT -j ACCEPT

$IPTABLES -A ICMP_ALLOWED -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A ICMP_ALLOWED -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A ICMP_ALLOWED -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A ICMP_ALLOWED -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A ICMP_ALLOWED -p icmp -m icmp --icmp-type 12 -j ACCEPT

$IPTABLES -A ICMP_FLOOD_DROP -p icmp -f -j DROP #icmp fragment attack
$IPTABLES -A ICMP_FLOOD_DROP -p icmp -m icmp --icmp-type 13 -j DROP #smurf attack protection
$IPTABLES -A ICMP_FLOOD_DROP -p icmp -m icmp --icmp-type 17 -j DROP #smurf attack protection
$IPTABLES -A ICMP_FLOOD_DROP -p icmp -m limit --limit 5/s --limit-burst 10 -j RETURN
$IPTABLES -A ICMP_FLOOD_DROP -p icmp -m limit --limit 5/s --limit-burst 10 -j LOG --log-prefix 'ICMP-FLOOD-DROP:'
#$IPTABLES -A ICMP_FLOOD_DROP -p icmp -j DROP

$IPTABLES -A ICMP_ECHO_DROP -p icmp --icmp-type 8 -j DROP #ping drop initially disabled

$IPTABLES -A UDP_FLOOD -p udp -f -j DROP # UDP fragment attack
$IPTABLES -A UDP_FLOOD -p udp -m pkttype --pkt-type broadcast -j DROP # Fraggle attack #drops lot of packets
$IPTABLES -A UDP_FLOOD -p udp -m limit --limit 50/s --limit-burst 100 -j RETURN # limiting to 50 pps
#$IPTABLES -A UDP_FLOOD -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j RETURN #DDOS prep #unsupported
$IPTABLES -A UDP_FLOOD -m limit --limit 10/s --limit-burst 15 -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
$IPTABLES -A UDP_FLOOD -j DROP

$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $ADB -m limit --limit 200/s --limit-burst 250 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $FTP -m limit --limit 200/s --limit-burst 250 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $DNS -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $NTP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $SSDP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $SIP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $RTSP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $MQTT1 -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $MQTT2 -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $MQTT3 -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A TCP_ALLOWED_IN -p tcp -m tcp --dport $MQTT4 -m limit --limit 50/s --limit-burst 100 -j ACCEPT

$IPTABLES -A UDP_ALLOWED_IN -i lo -p udp -m multiport --ports $SRF -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -i lo -p udp -m multiport --ports $ZWAVE -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -i lo -p udp -m multiport --ports $LSOCK -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $DHCP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $DNS -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $NTP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $SSDP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $SIP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $RTSP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $MQTT1 -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $DTLS -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $STUN_ON_DTLS -m limit --limit 50/s --limit-burst 100 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $RIP -m limit --limit 25/s --limit-burst 50 -j ACCEPT
$IPTABLES -A UDP_ALLOWED_IN -p udp -m udp --dport $DTLS_1 -m limit --limit 50/s --limit-burst 100 -j ACCEPT

$IPTABLES -A UNPREV_PORTS -p tcp -m tcp --dport $PHIGH -m limit --limit 200/s --limit-burst 250 -j ACCEPT
$IPTABLES -A UNPREV_PORTS -p udp -m udp --dport $PHIGH -m limit --limit 200/s --limit-burst 250 -j ACCEPT

$IPTABLES -A TCP_HANDLE_IN_FILTER -j TCP_ATTACKS_FILTER
$IPTABLES -A TCP_HANDLE_IN_FILTER -j HTTP_S_IN
$IPTABLES -A TCP_HANDLE_IN_FILTER -j TCP_ALLOWED_IN

#$IPTABLES -A UDP_HANDLE_IN_FILTER -j UDP_FLOOD
$IPTABLES -A UDP_HANDLE_IN_FILTER -j UDP_ALLOWED_IN

$IPTABLES -A ICMP_HANDLE_IN_FILTER -j ICMP_ALLOWED

# Not allowing qolsys traffic to be initiated from mobile data interfaces
$IPTABLES -A MOBILE_DATA_OUT -d 54.211.24.81 -j REJECT #iqms2 and iqcloud 
$IPTABLES -A MOBILE_DATA_OUT -d 52.2.96.56 -j REJECT   #myserver
$IPTABLES -A MOBILE_DATA_OUT -d 52.3.208.83 -j REJECT   #haproxy for logsupload
$IPTABLES -A MOBILE_DATA_OUT -d 224.0.0.0/4 -j DROP #Block multicast on lte radio
#$IPTABLES -A MOBILE_DATA_OUT -d 8.8.8.8 -j REJECT
#$IPTABLES -A MOBILE_DATA_OUT -d 8.8.4.4 -j REJECT

$IPTABLES -A RMNET_OUT_FILTER -d 224.0.0.0/4 -j DROP # drop multicast regardless of ports
$IPTABLES -A RMNET_OUT_FILTER -d 8.8.8.8 -j REJECT # No google dns on rmnet
$IPTABLES -A RMNET_OUT_FILTER -d 8.8.4.4 -j REJECT # No google dns on rmnet
$IPTABLES -A RMNET_OUT_FILTER -o rmnet7 -j ACCEPT
$IPTABLES -A RMNET_OUT_FILTER -o rmnet1 -j ACCEPT

#Adding default rules to ZONE chains

$IPTABLES -I WAN_ZONE_FORWARD -i $DEF_WAN_INF -p tcp --syn -j SYN_FLOOD
$IPTABLES -I WAN_ZONE_FORWARD -i $DEF_ETH_INF -p tcp --syn -j SYN_FLOOD
$IPTABLES -A LAN_ZONE_INPUT -i $DEF_LAN_INF -j ACCEPT

$IPTABLES -A INPUT_CONTROL -i $LINKLOCAL_INF -j ACCEPT
$IPTABLES -A INPUT_CONTROL -j LAN_ZONE_INPUT
$IPTABLES -A INPUT_CONTROL -p tcp --syn -j SYN_FLOOD
$IPTABLES -A INPUT_CONTROL -p icmp -j ICMP_FLOOD_DROP
$IPTABLES -A INPUT_CONTROL -p icmp -j ICMP_ECHO_DROP
$IPTABLES -A INPUT_CONTROL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT_CONTROL -j IANA_IPs
$IPTABLES -A INPUT_CONTROL -p tcp -j TCP_HANDLE_IN_FILTER
$IPTABLES -A INPUT_CONTROL -p icmp -j ICMP_HANDLE_IN_FILTER
$IPTABLES -A INPUT_CONTROL -p udp -j UDP_HANDLE_IN_FILTER
$IPTABLES -A INPUT_CONTROL -j UNPREV_PORTS #Unprevilaged ports 2000 to 65535

$IPTABLES -A IF_SPEC_DROP -i $DEF_WAN_INF -m limit --limit 50/s --limit-burst 100 -j RETURN #not exceeding 50 limit since legit inputs form established connections
$IPTABLES -A IF_SPEC_DROP -i $DEF_WAN_INF -j DROP
$IPTABLES -A IF_SPEC_DROP -i $DEF_ETH_INF -m limit --limit 50/s --limit-burst 100 -j RETURN
$IPTABLES -A IF_SPEC_DROP -i $DEF_ETH_INF -j DROP

# Populating System chains

#FILTER Table:

#INPUT Chain:
#------------

$IPTABLES -I INPUT -j INPUT_CONTROL
$IPTABLES -A INPUT -i $LINKLOCAL_INF -j ACCEPT #just in case.
$IPTABLES -A INPUT ! -i lo -j IF_SPEC_DROP  #lo packets reaching here will be anyway accepted by default policy
#$IPTABLES -P INPUT DROP  #modifying policy only after chain addition

#Forward Chain:
#--------------
$IPTABLES -I FORWARD -j WAN_ZONE_FORWARD
#$IPTABLES -I FORWARD -i wlan0 -p tcp --syn -j SYN_FLOOD
#android chains here. masquarading happens in them.
$IPTABLES -A FORWARD -i $LINKLOCAL_INF -j ACCEPT
#UDP Flood may be handled here
#inter vlan routing policy may be handled here. Its prioritization must be done in Mangle table

#Output Chain
#-------------
#$IPTABLES -A OUTPUT -j HTTP_S_OUT
$IPTABLES -I  OUTPUT 2 -o rmnet+ -j MOBILE_DATA_OUT #matching all rmnet interfaces
$IPTABLES -I  OUTPUT 3 -o $LINKLOCAL_INF -j ACCEPT         #putting this above everything in OUTPUT chain
#$IPTABLES -I OUTPUT -o rmnet+ -j RMNET_OUT_FILTER

#RAW Table :
#==================

#Prerouting Chain:
#-----------------
$IPTABLES $RAW_TABLE -I PREROUTING -p udp -j CHARGEN_ATTACK
$IPTABLES $RAW_TABLE -I PREROUTING -p tcp -j TCP_ATTACKS_RAW #this one is to be on top in the chain

$IP6TABLES -N MOBILE_DATA_OUT_V6
$IP6TABLES -I OUTPUT -o rmnet+ -j MOBILE_DATA_OUT_V6 #matching all rmnet interfaces
#$IP6TABLES -I MOBILE_DATA_OUT_V6 ! -o rmnet7 -d ff00::0/8 -j DROP #Block ipv6 multicast on lte radio
$IP6TABLES -A MOBILE_DATA_OUT_V6 -o rmnet+ -d ff00::0/8 -p udp --sport 5353 -j DROP # Block mdns on rmnet7 since not needed for verizon DM

$IP6TABLES -N RMNET_OUT_FILTER_V6
$IP6TABLES -A RMNET_OUT_FILTER_V6 -o rmnet+ -d ff00::0/8 -p udp --sport 5353 -j DROP
$IP6TABLES -A RMNET_OUT_FILTER_V6 -o rmnet7 -j ACCEPT
$IP6TABLES -A RMNET_OUT_FILTER_V6 -o rmnet1 -j ACCEPT
#$IP6TABLES -I OUTPUT -o rmnet+ -j RMNET_OUT_FILTER_V6 #matching all rmnet interfaces
XaF commented 1 year ago

Looking over the rules really fast, I do not see any rate limit for port 12345 though? The DEF_WAN_INF rules I see seem to be for already established connections, which one is affecting connection? And 50/s seems to be way higher than whatever qolsysgw would try.

Pablo1 commented 1 year ago

Actually I don't need to restart AppDaemon. I have to restart the Qolsys Panel itself. I suspect the solution is to try to respect whatever rate limits are imposed but I also can't find the rule that's relevant.

XaF commented 1 year ago

You misunderstood me. Home Assistant is not connected with the panel itself. Home Assistant is connected to Appdaemon, and Appdaemon runs qolsysgw, which connects to the qolsys panel.

So any rate limit reached would be caused by appdaemon restarting, not home assistant!

Pablo1 commented 1 year ago

Yes. You are correct :-)

XaF commented 1 year ago

I have been playing around the panel again recently, but haven't hit any rate limit leading to being ban and having to restart the panel. Any chance you'd have found more details about this?

Pablo1 commented 1 year ago

Unfortunately I don't have more details. It seems to happen as a result of home assistant restarts (which would restart appdaemon). Appdaemon restarts on their own don't seem to trigger the issue. I suspect some folks on the HA Community Forums may have more info. I wonder if it could be related to the number of zones/devices/sensors since I have about 70 in all. I'll keep an eye on things and report back if I notice a pattern. I have an automaton to alert me when a test sensor becomes unavailable but it only happens at either HA restart or hardware reboot.