Page 1 of 1

Block countries but allow port 53/dns

Posted: 12 Jun 2021, 14:03
by bulgin23
Hello,

I hope everyone is well.

I have a need to block countries, but allow dns querries into the server from everywhere, including those countries I've blocked.

What is the simplest solution with CSF for this?

Thanks in advance for any help.

Re: Block countries but allow port 53/dns

Posted: 05 Jul 2021, 11:45
by sahostking
I would say maybe using something like this unless someone else has a better idea. You could deny services, port access to many countries attacking your server by just using their country codes.

# This option denies access from the following countries to specific ports
# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow allowing of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""

# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
# NOT be removed from TCP_IN/UDP_IN
#
# An example would be to list port 21 here then counties listed in
# CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""

Re: Block countries but allow port 53/dns

Posted: 05 Jul 2021, 14:35
by bulgin23
SOLVED: I used the following solution provided by viewtopic.php?t=7558&sid=d0d3e273b6ef83 ... 44b6671ebb
Case 2 ( recommended )

Block few countries but still allow them to reach some ports
Example: Block China Russia and Nigeria except http and https

CC_DENY_PORTS = NG,CN,RU
CC_DENY_PORTS_TCP = 1:79,81:442,444:65535
CC_DENY_PORTS_UDP = 1:65535

Re: Block countries but allow port 53/dns

Posted: 22 Mar 2023, 10:36
by poudenes
Hi All,

It's an old post but Try to install CSF on my Debian 11. Everything is working but when I start CSF all resolving actions are blocked.
This is my config:

Code: Select all

CC_ALLOW_PORTS = "BG,IR,IQ,RU,CN,NG"
CC_ALLOW_PORTS_TCP = "53"
CC_ALLOW_PORTS_UDP = "53"

TESTING = "0"
TESTING_INTERVAL = "5"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "1"
AUTO_UPDATES = "1"
LF_SPI = "1"

TCP_IN = "25,53,80,143,443,465,587,953,993,995,3000,7045,8080,8081"
TCP_OUT = "25,53,80,,113,443,587,953,993,995,7045,8080,8081"
UDP_IN = "53,80,443,953"
UDP_OUT = "53,113,123,953"
My idea is to give only some countries allow to use port 53. But this is what I see in syslog:

Code: Select all

Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/AAAA/IN': 2604:4500:9:156::4#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/A/IN': 2604:4500:9:156::4#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/AAAA/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:04 mail named[346931]: address not available resolving 'ns.ukwebs.net/A/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:04 mail named[346931]: address not available resolving '_.165.66.list.dnswl.org/A/IN': 2a01:4f8:c2c:52e::feed#53
Mar 22 10:30:04 mail named[346931]: address not available resolving '_.165.66.list.dnswl.org/A/IN': 2400:8901::f03c:91ff:fee9:a89#53
Mar 22 10:30:05 mail named[346931]: address not available resolving 'default._domainkey.forum.configserver.com/TXT/IN': 2a01:4f8:13b:355e::2#53
Mar 22 10:30:05 mail named[346931]: address not available resolving '_.246.165.66.list.dnswl.org/A/IN': 2a01:4f8:1c0c:708f::53#53

Code: Select all

root@hassio:/home/poudenes# nslookup ns.ukwebs.net
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   ns.ukwebs.net
Address: 66.165.246.164
Name:   ns.ukwebs.net
Address: 2604:4500:9:156::4
root@hassio:/home/poudenes# nslookup dnswl.org
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dnswl.org
Address: 168.119.229.146
Name:   dnswl.org
Address: 2a01:4f8:1c0c:708f::1
Can someone assist me?