Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/
Code: Select all
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"Code: Select all
###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2002,2003,2004,2005,8080"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,2002,2003,2004,2005,8080"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
# Allow incoming PING
ICMP_IN = "1"
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "1/s"
# Allow outgoing PING
ICMP_OUT = "1"
# Set the per IP address outgoing ICMP packet rate (hits per second allowed),
# e.g. "1/s"
# To disable rate limiting set to "0"
ICMP_OUT_RATE = "0"
###############################################################################
# SECTION:IPv6 Port Settings
###############################################################################
# IPv6: (Requires ip6tables)
#
# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
#
# Supported:
# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
# PACKET_FILTER, WATCH_MODE, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*
#
# Not supported:
# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, SYNFLOOD, PORTFLOOD, DYNDNS,
# ICMP_IN, ICMP_OUT, LF_NETBLOCK, MESSENGER, CC_IGNORE, CONNLIMIT,
# CC_ALLOW_PORTS, CC_DENY_PORTS
#
# Partially supported:
# CC_LOOKUPS - reverse DNS only and requires the perl module Socket6 from cpan
#
# MESSENGER service - not supported: no REDIRECT support in ip6tables as yet
#
IPV6 = "1"
# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
# connection types
IPV6_ICMP_STRICT = "0"
# Pre v2.6.20 kernel must set this option to "0" as no working state module is
# present, so a static firewall is configured as a fallback
#
# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
# not support IPv6 connection tracking by opening ephemeral port range
# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
# same workaround implemented by RedHat in the sample default IPv6 rules
#
# Because connection tracking does not work on such kernels, applications that
# rely on it (e.g. apache, passive ftp, etc) will not function unless you open
# all outgoing ports. To do this set the following:
#
# TCP6_OUT = "0:65535"
# UDP6_OUT = "0:65535"
#
# If you allow incoming ipv6 DNS lookups you will need to use the following
# directive in the options{} section of your named.conf:
#
# query-source-v6 port 53;
#
# This will force ipv6 incoming DNS traffic only through port 53
#
# These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"
# Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443"
# Allow incoming UDP ports
UDP6_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP6_OUT = "20,21,53,113,123"