I am failing PCI because my database port is open. Thing is its not, its blocked by CSF. But in order for the PCI scans to run OK and do their checks I have to add them to the IP allow list. So THEY can see the port open, even though no one else can, and fail us!
So therefore I would like to know if its possible to keep them (and other IPs) in the allow list, but still block the database port (and any other port I think I may want to block even to the allow list).
We are also using the GLOBAL_ALLOW to retrieve these IP addresses from a remote file, because we have many servers to add allow IPs for.
Thanks a lot
Block specific port even to global allow IP?
Re: Block specific port even to global allow IP?
If you only want to block port 3306 for them, you can allow a range of ports, I mean allow them from 0,3305 and 3307,65535 or you can adjust the ranges to your liking.
Example:
tcp|in|d=0_3305,3307_65535|s=x.x.x.x
If multiple ranges don't work then you can try:
tcp|in|d=0_3305|s=x.x.x.x
tcp|in|d=3307_65535|s=x.x.x.x
where x.x.x.x is the PCI IP.
Sergio
Example:
tcp|in|d=0_3305,3307_65535|s=x.x.x.x
If multiple ranges don't work then you can try:
tcp|in|d=0_3305|s=x.x.x.x
tcp|in|d=3307_65535|s=x.x.x.x
where x.x.x.x is the PCI IP.
Sergio