ConfigServer Community Forum

Posted: **20 Dec 2012, 18:44**

Hello! I'm sorry if this has been covered elsewhere; I couldn't find more info on it.

I'm trying to set up advanced port+ip filtering using the following rule:
tcp/udp|in/out|s/d=port|s/d=ip

My first question is, what's the correct syntax for this? My initial thought was this:
tcp|in|d=993|s=123.456.0.1
OR
tcp|in|d=993|s=123.456.0.0/15

... But I'm not sure if this is correct.

My second question is, is it possible to specify multiple ports in the same rule, for example tcp ports 993 and 143, and is it possible to specify an IP range?

Many thanks! Any help would be greatly appreciated.

Posted: **18 May 2016, 14:59**

Bumping this as I, too, would like to know.

And additionally, is there a way to set CSF to automatically block on a port basis, rather than IP basis? Just because someone is hammering our SMTP port doesn't mean they should be denied access to our web server...

Posted: **10 Jun 2016, 20:20**

10. Advanced Allow/Deny Filters
###############################

In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip
filters using the following format (you must specify a port AND an IP address):

tcp/udp|in/out|s/d=port|s/d=ip|u=uid

Broken down:

tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored

Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type.
Whether you use s or d is not relevant as either simply uses the iptables
--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
Only one type per filter is supported

Examples:

# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44

# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44

Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|

# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11

# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99

# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11

# TCP connections inbound to port 22 from Dynamic DNS address
# http://www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com

(from read me)

tcp|in|d=993|s=123.456.0.0/15 works

or even:

d=993|s=123.456.0.0/15 (since TCP and IN are default)

Also unfortunately you have to do it for EACH port.
You can only do range: 10_1000 (port 10 - 1000)

Posted: **16 Jun 2016, 08:38**

No word on automatically having only *ports* blocked for IP addresses? I tried via commandline:

Code: Select all

csf -d d=22|s=X.X.X.X

But that doesn't seem to have proper effect. I do not want to go the TEMP DENY route, as those blocks are lifted on csf restart:

Code: Select all

csf -td X.X.X.X 9999d -p 22 [comment]

ConfigServer Community Forum

Advanced port+ip filtering

Advanced port+ip filtering

Re: Advanced port+ip filtering

Re: Advanced port+ip filtering

Re: Advanced port+ip filtering