Per title, if I specify a uid match, it seems to ignore the destination IP setting in csf.allow. To reproduce, add the following line to your csf.allow:
tcp|out|d=1234|d=1.2.3.4|u=1000
This should allow uid 1000 access to 1.2.3.4 on tcp port 1234, however after reloading the csf rules the actual rule in iptables is that it allows uid 1000 access to ANY destination ip on tcp 1234
Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 owner UID match 1000
Running csf v12.02 (cPanel) on CloudLinux 7.4
Destination IP ignored in csf.allow when uid specified
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Destination IP ignored in csf.allow when uid specified
That is the expected behaviour and a restriction when using UID. See readme.txt:
Note the last line. If you want something different you will have to put an iptables line in a csfpost.sh file.
Code: Select all
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
(use a , for a multiport list of up to 15 ports, e.g. 22,80,443)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored