In /etc/csf/csf.allow and /etc/csf/csf.deny you can add more complex port and IP
filters using the following format (you must specify a port AND an IP address).
tcp/udp|in/out|s/d=port|s/d=ip|u=uid| Parameter | Description |
|---|---|
| tcp/udp/icmp | Either tcp or udp or icmp protocol |
| in/out | Either incoming OR outgoing connections |
| s/d=port | Either source or destination port number or ICMP type (use a _ for a port range, e.g. 2000_3000) or (use a , for a multiport list of up to 15 ports, e.g. 22,80,443) |
| s/d=ip | Either source or destination IP address |
| u/g=UID | Either UID or GID of source packet, implies outgoing connections,s/d=IP value is ignored |
• ICMP filtering uses the "port" for s/d=port to set the ICMP type.
• Whether you use s or d is not relevant as either simply uses the iptables --icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
• Only one type per filter is supported.
# TCP connections inbound to port 3306 from IP 203.0.113.1
tcp|in|d=3306|s=203.0.113.1
# TCP connections outbound to port 22 on IP 203.0.113.1
tcp|out|d=22|d=203.0.113.1
# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99
# ICMP connections inbound for type ping from 203.0.113.1
icmp|in|d=ping|s=203.0.113.1
# TCP connections inbound to port 22 from dynamic DNS address www.example.com (Allow DynDNS only)
tcp|in|d=22|s=www.example.com
# TCP out port range to dynamic DNS address www.example.com (Allow DynDNS only)
tcp|out|d=30000_65535|d=www.example.com
# TCP connections inbound to port 22,80,443 from IP 203.0.113.1
d=22,80,443|s=203.0.113.1| File | Description |
|---|---|
/etc/csf/csf.allow |
A list of IP addresses, CIDR addresses, and filters that will always be allowed through the firewall. |
/etc/csf/csf.deny |
A list of IP addresses, CIDR addresses, and filters that will be permanently denied by the firewall. |