ConfigServer Community Forum

Posted: **30 Apr 2018, 16:57**

Per title, if I specify a uid match, it seems to ignore the destination IP setting in csf.allow. To reproduce, add the following line to your csf.allow:

tcp|out|d=1234|d=1.2.3.4|u=1000

This should allow uid 1000 access to 1.2.3.4 on tcp port 1234, however after reloading the csf rules the actual rule in iptables is that it allows uid 1000 access to ANY destination ip on tcp 1234

Chain ALLOWOUT (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 owner UID match 1000

Running csf v12.02 (cPanel) on CloudLinux 7.4

Posted: **01 May 2018, 10:11**

That is the expected behaviour and a restriction when using UID. See readme.txt:

Code: Select all

tcp/udp  : EITHER tcp OR udp OR icmp protocol
in/out   : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
           (use a _ for a port range, e.g. 2000_3000)
           (use a , for a multiport list of up to 15 ports, e.g. 22,80,443)
s/d=ip   : EITHER source OR destination IP address
u/g=UID  : EITHER UID or GID of source packet, implies outgoing connections,
           s/d=IP value is ignored

Note the last line. If you want something different you will have to put an iptables line in a csfpost.sh file.

ConfigServer Community Forum

Destination IP ignored in csf.allow when uid specified

Destination IP ignored in csf.allow when uid specified

Re: Destination IP ignored in csf.allow when uid specified