Hi!,
I would like to open a port just for a user.
For example i have port 993 closed from outside to not permit users do access imap.
But i need to give permission to one user.
So, can i add this line to csf.allow to permit this?
tcp|in|s=993||u=1018
I already tried but doesn't work.
I there a way to do this?
Thanks
Open port in for specific user
Re: Open port in for specific user
As you don't mention where are you trying to add that rule, I am assuming you are trying to use CSF.ALLOW.
If so, I don't see any IP to the allow rule you are writing.
In the readme it shows:
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
If you see there is no "u="
Usually it works as per example writing something like:
tcp|in|d=993|s=www.xxx.yyy.zzz
What it mean is:
Protocol = tcp
INBOUND = in
Destination port: 110
Source = www.xxx.yyy.zzz => should be the IP of you user.
If so, I don't see any IP to the allow rule you are writing.
In the readme it shows:
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
If you see there is no "u="
Usually it works as per example writing something like:
tcp|in|d=993|s=www.xxx.yyy.zzz
What it mean is:
Protocol = tcp
INBOUND = in
Destination port: 110
Source = www.xxx.yyy.zzz => should be the IP of you user.
Re: Open port in for specific user
The documentation i see is this:
So, there is a u= option. But does it work "in" or only "out"?
If it worked "in" i could have open ports only for the users i want regardless the ip the connection is being made.
But i do understand that before a connection is permitted the ip needs to be whitelisted in the firewall.
So, the way that the firewall works maybe it's impossible to permit a connection to all ports and only after this verify if a specific user has that permission or not.
This would be against the core functionality of a firewall.
This u= option may work from inside to outside, because the user is already verified inside the server and not the way around.
Am I thinking right?
Thanks
Code: Select all
10. Advanced Allow/Deny Filters
###############################
In /etc/csf/csf.allow and /etc/csf/csf.deny you can add more complex port and
ip filters using the following format (you must specify a port AND an IP
address):
tcp/udp|in/out|s/d=port|s/d=ip|u=uid
Broken down:
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
(use a , for a multiport list of up to 15 ports, e.g. 22,80,443)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored
Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type.
Whether you use s or d is not relevant as either simply uses the iptables
--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
Only one type per filter is supportedIf it worked "in" i could have open ports only for the users i want regardless the ip the connection is being made.
But i do understand that before a connection is permitted the ip needs to be whitelisted in the firewall.
So, the way that the firewall works maybe it's impossible to permit a connection to all ports and only after this verify if a specific user has that permission or not.
This would be against the core functionality of a firewall.
This u= option may work from inside to outside, because the user is already verified inside the server and not the way around.
Am I thinking right?
Thanks