SPI - LF_SPI
Some kernel/iptables setups do not perform stateful connection tracking correctly (typically some virtual servers or
custom compiled kernels) , so a SPI firewall will not function correctly. If this happens, LF_SPI can be set to 0 to
reconfigure csf as a static firewall. As connection tracking will not be configured, applications that rely on it will
not function unless all outgoing ports are opened. Therefore, all outgoing connections will be allowed once all other
tests have completed. So TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
Default: 1 Range: 0-1
TCP in - TCP_IN
Allow incoming TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,22,25,53,80,110,143,443,465,587,853,993,995,8443,8447,8880,30000:35000
TCP out - TCP_OUT
Allow outgoing TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,22,25,43,53,80,110,113,143,443,465,587,853,873,993,995,2703,5224,8443,8447,8880
UDP in - UDP_IN
Allow incoming UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,53,24441
UDP out - UDP_OUT
Allow outgoing UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To allow
outgoing traceroute add 33434:33523 to this list.
Default: 20,21,53,113,123,873,6277,24441,33434:33523
ICMP in - ICMP_IN
Allow incoming PING.
Default: 1 Range: 0-1
ICMP in rate - ICMP_IN_RATE
Set the incoming ICMP packet rate per IP address. To disable this option set to 0.
Default: 1/s
ICMP out - ICMP_OUT
Allow outgoing PING.
Default: 1 Range: 0-1
ICMP out rate - ICMP_OUT_RATE
Set the outgoing ICMP packet rate per IP address. To disable this option set to 0.
Default: 0
ICMP timestamp drop - ICMP_TIMESTAMPDROP
For those with PCI Compliance tools that state that ICMP timestamps (type 13) should be dropped, you can enable the following option.
Otherwise, there appears to be little evidence that it has anything to do with a security risk and can impact network performance, so should be left disabled by everyone else.
Default: 0
IPv6 - IPV6
Enable or disable IPV6 support.
Default: 1 Range: 0-1
IPv6 ICMP strict - IPV6_ICMP_STRICT
IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 traffic in the INPUT and OUTPUT chains.
However, this could increase the risk of icmpv6 attacks. To restrict incoming icmpv6, set to 1 but may break some
connection types.
Default: 0 Range: 0-1
IPv6 SPI - IPV6_SPI
Enable or disable IPV6 stateful packet inspection. Do not enable on pre v2.6.20 kernels as they do not perform stateful
connection tracking.
Default: 1 Range: 0-1
TCP6 in - TCP6_IN
Allow incoming IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,22,25,53,80,110,143,443,465,587,853,993,995,8443,8447,8880,30000:35000
TCP6 out - TCP6_OUT
Allow outgoing IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,22,25,43,53,80,110,113,143,443,465,587,853,873,993,995,2703,5224,8443,8447,8880
UDP6 in - UDP6_IN
Allow incoming IPv6 UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).
Default: 20,21,53,24441
UDP6 out - UDP6_OUT
Allow outgoing IPv6 UDP ports. (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To
allow outgoing traceroute add 33434:33523 to this list.
Default: 20,21,53,113,123,873,6277,24441,33434:33523