Advanced Allow / Deny Filters

In /etc/csf/csf.allow and /etc/csf/csf.deny you can add more complex port and IP filters using the following format (you must specify a port AND an IP address).

Format

tcp/udp|in/out|s/d=port|s/d=ip|u=uid
Parameter Description
tcp/udp/icmp Either tcp or udp or icmp protocol
in/out Either incoming OR outgoing connections
s/d=port Either source or destination port number or ICMP type (use a _ for a port range, e.g. 2000_3000) or (use a , for a multiport list of up to 15 ports, e.g. 22,80,443)
s/d=ip Either source or destination IP address
u/g=UID Either UID or GID of source packet, implies outgoing connections,s/d=IP value is ignored

• ICMP filtering uses the "port" for s/d=port to set the ICMP type.
• Whether you use s or d is not relevant as either simply uses the iptables --icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
• Only one type per filter is supported.

Examples

# TCP connections inbound to port 3306 from IP 203.0.113.1
tcp|in|d=3306|s=203.0.113.1

# TCP connections outbound to port 22 on IP 203.0.113.1
tcp|out|d=22|d=203.0.113.1

# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99

# ICMP connections inbound for type ping from 203.0.113.1
icmp|in|d=ping|s=203.0.113.1

# TCP connections inbound to port 22 from dynamic DNS address www.example.com (Allow DynDNS only)
tcp|in|d=22|s=www.example.com

# TCP out port range to dynamic DNS address www.example.com (Allow DynDNS only)
tcp|out|d=30000_65535|d=www.example.com

# TCP connections inbound to port 22,80,443 from IP 203.0.113.1
d=22,80,443|s=203.0.113.1

Related Files

File Description
/etc/csf/csf.allow A list of IP addresses, CIDR addresses, and filters that will always be allowed through the firewall.
/etc/csf/csf.deny A list of IP addresses, CIDR addresses, and filters that will be permanently denied by the firewall.

Related Pages