Configure the firewall general settings.
juggernaut --task=firewall:generalOption |
Value | Default | Description |
|---|---|---|---|
--ETH_DEVICE |
<string1,string2> | Only apply iptables rules to a specific network interface. (comma separated e.g. eth1, or eth+). | |
--ETH_DEVICE_add |
<string> | Add a single entry to ETH_DEVICE. | |
--ETH_DEVICE_del |
<string> | Remove a single entry from ETH_DEVICE. | |
--ETH6_DEVICE |
<string1,string2> | Only apply ip6tables rules to a specific network interface. (comma separated e.g. eth1, or eth+). | |
--ETH6_DEVICE_add |
<string> | Add a single entry to ETH6_DEVICE. | |
--ETH6_DEVICE_del |
<string> | Remove a single entry from ETH6_DEVICE. | |
--ETH_DEVICE_SKIP |
<string1,string2> | Do not apply iptables rules to these specific network interfaces (comma separated e.g eth1,eth2). | |
--ETH_DEVICE_SKIP_add |
<string> | Add a single entry to ETH_DEVICE_SKIP. | |
--ETH_DEVICE_SKIP_del |
<string> | Remove a single entry from ETH_DEVICE_SKIP. | |
--USE_CONNTRACK |
<1|0> | 1 | Enable the use of the iptables "conntrack" module over deprecated "state" module. Only supported on kernels >= 3.7. |
--USE_FTPHELPER |
<1|0> | 0 | Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+) instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper This will also remove the RELATED target from the global state iptables rule. This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or the raw tables do not exist. The USE_CONNTRACK option should be enabled. |
--SYSLOG_CHECK |
<0|60-3600> | 0 | Check whether syslog is running. Set to 0 to disable. |
--IGNORE_ALLOW |
<1|0> | 0 | Do not block IP addresses listed in csf.allow in addition to csf.ignore. This option is not recommended as it could tell the login failure daemon to ignore attacks from infected PCs IP addresses. |
--DNS_STRICT |
<1|0> | 0 | Apply strict iptables rules to DNS traffic. This option could cause DNS resolution issues but could help prevent abuse of the local DNS server. |
--DNS_STRICT_NS |
<1|0> | 0 | Apply strict iptables rules to DNS traffic between the server and the nameservers listed in /etc/resolv.conf. This option could cause DNS resolution issues but could help prevent abuse of the local DNS server. |
--DENY_IP_LIMIT |
<digit> | 3000 | Limit the number of IPs that are Permanently banned. A large number of IP addresses create a large number of iptables rules which can cause problems on some VPSs or where resources are limited. When the limit is reached, the entries will be rotated so that the oldest entries will be removed and the latest is added. Set to 0 to disable limiting. |
--DENY_TEMP_IP_LIMIT |
<digit> | 1000 | Limit the number of IPs that are temporarily banned. A large number of IP addresses create a large number of iptables rules which can cause problems on some VPSs or where resources are limited. When the limit is reached the entries will be rotated so that the oldest entries will be removed and the latest is added. Set to 0 to disable limiting. |
--LF_DAEMON |
<1|0> | 1 | Enable the login failure detection daemon. Set to 0 to disable and the daemon will not start. |
--LF_CSF |
<1|0> | 1 | Check whether the firewall is stopped and restart it, unless testing is enabled. The check is done every 300 seconds. |
--FASTSTART |
<1|0> | 0 | On a clean server reboot the entire csf iptables configuration is saved and then restored where possible to provide a near instant firewall startup. Also on a firewall restart or the login failure daemon reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled. |
--WAITLOCK |
<1|0> | 1 | Versions of iptables greater or equal to v1.4.20 should support the --wait option. This forces iptables commands that use the option to wait until a lock by any other process using iptables completes, rather than simply failing. Enabling this feature will add the --wait option to iptables commands. The disadvantage of using this option is that any iptables command that uses it will hang until the lock is released. |
--WAITLOCK_TIMEOUT |
<digit> | 300 | To try and avoid hung processes trying to issue iptables commands csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger a failure if reached. |
--LF_IPSET |
<digit> | 1 | Use ipset v6+ for the following options: CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. ipset will only be used with the above options when listing IPv4 IPs and CIDRs. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables. Using ipset moves ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. To use this option you must have a fully functioning installation of ipset 6+ installed either via rpm or source from http://ipset.netfilter.org/. Ipset will NOT function on older versions of Virtuozzo/OpenVZ. |
--LF_IPSET_HASHSIZE |
<digit> | 1024 | The hashsize for ipset sets, which must be a power of 2. Note: Increasing this value will consume more memory for all sets. |
--LF_IPSET_MAXELEM |
<digit> | 65536 | The maxelem for ipset sets. Note: Increasing this value will consume more memory for all sets. |
--LFDSTART |
<1|0> | 0 | Instead of the firewall rebuilding the iptables rules, the firewall will tell the login failure daemon to rebuild them instead. This option is recommended for servers with a large number of iptables rules. E.g. Using country code block or allow lists. |
--VERBOSE |
<1|0> | 0 | Enable verbose output of iptables commands. (Not recommended) |
--PACKET_FILTER |
<1|0> | 1 | Enable packet filtering for unwanted or illegal packets. This will drop packets that iptables has deemed INVALID. To disable this option set to 0. |
--LF_LOOKUPS |
<1|0> | 1 | Perform reverse DNS lookups on IP addresses. |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// add an entry to ETH_DEVICE
juggernaut --task=firewall:general --ETH_DEVICE_add='eth0' --restart=yes
// reset ETH_DEVICE back to default
juggernaut --task=firewall:general --default_option=ETH_DEVICE --restart=yes
// reset all settings back to default
juggernaut --task=firewall:general --default=yes --restart=yes