ConfigServer Community Forum

Posted: **19 Sep 2013, 17:33**

The warning is "less effective". Not sure what that means specifically?

Is the concern a server could be tricked into contacting an outbound ip?

I think that risk is fairly low if not completely unlikely in most cases?

The idea is if you are using nearly 1000 rules, converting to inbound only could reduce the memory/cpu resource use?

LF_BLOCKINONLY
By default csf will create both an inbound and outbound blocks from/to an IP unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most effective way to block IP traffic. This option instructs csf to only block inbound traffic from those IP's and so reduces the number of iptables rules, # but at the expense of less effectiveness. For this reason we recommend leaving this option disabled. Set to "0" to disable this feature - the default

Posted: **25 Sep 2013, 20:37**

The way CSF works is blocking the input and output loop, that works great in case a malicious script is trying to send info out from the server, on the other hand RBL chains are set (like DSHIELD, SPAMEDROP and TOR) to use one iptable rule blocking all "*", in my own iptables I follow this method and I always have the doubt what is better.

Sergio

Posted: **01 Apr 2014, 18:12**

Revisiting this.

So does CSF/LFD actually use * in iptables and create only one rule by default?

Why would it make both an inbound and outbound rule if a wildcard is available?

I understand the logic of LF_BLOCKINONLY=0 to prevent the server from being tricked to reach bad ip ranges but on a heavily loaded server where DOS is more of the problem and 1000 rules are already in use, perhaps LF_BLOCKINONLY=1 is a better idea.

ConfigServer Community Forum

any downside to blocking only inbound via LF_BLOCKINONLY

any downside to blocking only inbound via LF_BLOCKINONLY

Re: any downside to blocking only inbound via LF_BLOCKINONLY

Re: any downside to blocking only inbound via LF_BLOCKINONLY