/etc/csf/csf.deny you can add more complex port and IP
filters using the following format (you must specify a port AND an IP address).
|tcp/udp/icmp||Either tcp or udp or icmp protocol|
|in/out||Either incoming OR outgoing connections|
|s/d=port||Either source or destination port number or ICMP type (use a _ for a port range, e.g. 2000_3000) or (use a , for a multiport list of up to 15 ports, e.g. 22,80,443)|
|s/d=ip||Either source or destination IP address|
|u/g=UID||Either UID or GID of source packet, implies outgoing connections,s/d=IP value is ignored|
• ICMP filtering uses the "port" for s/d=port to set the ICMP type.
• Whether you use s or d is not relevant as either simply uses the iptables --icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
• Only one type per filter is supported.
# TCP connections inbound to port 3306 from IP 203.0.113.1 tcp|in|d=3306|s=203.0.113.1 # TCP connections outbound to port 22 on IP 203.0.113.1 tcp|out|d=22|d=203.0.113.1 # TCP connections outbound to port 80 from UID 99 tcp|out|d=80||u=99 # ICMP connections inbound for type ping from 203.0.113.1 icmp|in|d=ping|s=203.0.113.1 # TCP connections inbound to port 22 from dynamic DNS address www.example.com (Allow DynDNS only) tcp|in|d=22|s=www.example.com # TCP out port range to dynamic DNS address www.example.com (Allow DynDNS only) tcp|out|d=30000_65535|d=www.example.com # TCP connections inbound to port 22,80,443 from IP 203.0.113.1 d=22,80,443|s=203.0.113.1
||A list of IP addresses, CIDR addresses, and filters that will always be allowed through the firewall.|
||A list of IP addresses, CIDR addresses, and filters that will be permanently denied by the firewall.|