Configure incoming and outgoing port settings.
juggernaut --task=firewall:portOption |
Value | Default | Description |
|---|---|---|---|
--LF_SPI |
<1|0> | 1 | Some kernel/iptables setups do not perform stateful connection tracking correctly (typically some virtual servers or custom compiled kernels) , so a SPI firewall will not function correctly. If this happens, LF_SPI can be set to 0 to reconfigure csf as a static firewall. As connection tracking will not be configured, applications that rely on it will not function unless all outgoing ports are opened. Therefore, all outgoing connections will be allowed once all other tests have completed. So TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect. |
--TCP_IN |
<string1,string2> | 20,21,22,25,53,80,110,143,443,465,587,853,993,995,8443,8447,8880,30000:35000 | Allow incoming TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--TCP_IN_add |
<string> | Add a single entry to TCP_IN. | |
--TCP_IN_del |
<string> | Remove a single entry from TCP_IN. | |
--TCP_OUT |
<string1,string2> | 20,21,22,25,43,53,80,110,113,143,443,465,587,853,873,993,995,2703,5224,8443,8447,8880 | Allow outgoing TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--TCP_OUT_add |
<string> | Add a single entry to TCP_OUT. | |
--TCP_OUT_del |
<string> | Remove a single entry from TCP_OUT. | |
--UDP_IN |
<string1,string2> | 20,21,53,80,443,8443,24441 | Allow incoming UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--UDP_IN_add |
<string> | Add a single entry to UDP_IN. | |
--UDP_IN_del |
<string> | Remove a single entry from UDP_IN. | |
--UDP_OUT |
<string1,string2> | 20,21,53,113,123,443,873,6277,8443,24441,33434:33523 | Allow outgoing UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To allow outgoing traceroute add 33434:33523 to this list. |
--UDP_OUT_add |
<string> | Add a single entry to UDP_OUT. | |
--UDP_OUT_del |
<string> | Remove a single entry from UDP_OUT. | |
--ICMP_IN |
<1|0> | 1 | Allow incoming PING. |
--ICMP_IN_RATE |
<string> | 1/s | Set the incoming ICMP packet rate per IP address. To disable this option set to 0. |
--ICMP_OUT |
<1|0> | 1 | Allow outgoing PING. |
--ICMP_OUT_RATE |
<string> | 0 | Set the outgoing ICMP packet rate per IP address. To disable this option set to 0 |
--ICMP_TIMESTAMPDROP |
<1|0> | 0 | For those with PCI Compliance tools that state that ICMP timestamps (type 13) should be dropped, you can enable the following option. Otherwise, there appears to be little evidence that it has anything to do with a security risk and can impact network performance, so should be left disabled by everyone else. |
--IPV6 |
<1|0> | 1 | Enable or disable IPV6 support. |
--IPV6_ICMP_STRICT |
<1|0> | 0 | IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 traffic in the INPUT and OUTPUT chains. However, this could increase the risk of icmpv6 attacks. To restrict incoming icmpv6, set to 1 but may break some connection types. |
--IPV6_SPI |
<1|0> | 1 | Enable or disable IPV6 stateful packet inspection. Do not enable on pre v2.6.20 kernels as they do not perform stateful connection tracking. |
--TCP6_IN |
<string1,string2> | 20,21,22,25,53,80,110,143,443,465,587,853,993,995,8443,8447,8880,30000:35000 | Allow incoming IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--TCP6_IN_add |
<string> | Add a single entry to TCP6_IN. | |
--TCP6_IN_del |
<string> | Remove a single entry from TCP6_IN. | |
--TCP6_OUT |
<string1,string2> | 20,21,22,25,43,53,80,110,113,143,443,465,587,853,873,993,995,2703,5224,8443,8447,8880 | Allow outgoing IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--TCP6_OUT_add |
<string> | Add a single entry to TCP6_OUT. | |
--TCP6_OUT_del |
<string> | Remove a single entry from TCP6_OUT. | |
--UDP6_IN |
<string1,string2> | 20,21,53,80,443,8443,24441 | Allow incoming IPv6 UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). |
--UDP6_IN_add |
<string> | Add a single entry to UDP6_IN. | |
--UDP6_IN_del |
<string> | Remove a single entry from UDP6_IN. | |
--UDP6_OUT |
<string1,string2> | 20,21,53,113,123,443,873,6277,8443,24441,33434:33523 | Allow outgoing IPv6 UDP ports. (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To allow outgoing traceroute add 33434:33523 to this list. |
--UDP6_OUT_add |
<string> | Add a single entry to UDP6_OUT. | |
--UDP6_OUT_del |
<string> | Remove a single entry from UDP6_OUT. | |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// add port 6698 to TCP_IN
juggernaut --task=firewall:port --TCP_IN_add=6698 --restart=yes
// reset TCP_IN back to default
juggernaut --task=firewall:port ---default_option=TCP_IN --restart=yes
// reset all settings back to default
juggernaut --task=firewall:port ---default=yes --restart=yes