How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

To Grant Port Based Access In CSF (TCP,UDP) On Rocky Linux 9.2

Introduction

• ConfigServer Security & Firewall (CSF) is a powerful tool for managing the security of Linux servers.

• Granting port-based access in CSF involves configuring rules to control traffic on specific TCP and UDP ports.

• This introductory process includes editing the CSF configuration file, specifying the desired ports, and applying the rules to enhance server security and network management.

Procedure

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Step 2: Check the status of the CSF and IFD by using the below command

[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 3 days ago
   Main PID: 10199 (code=exited, status=0/SUCCESS)
        CPU: 1.901s
Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-11-02 10:20:09 IST; 3 days ago
   Main PID: 10371 (lfd - sleeping)
      Tasks: 1 (limit: 22877)
     Memory: 261.9M
        CPU: 1min 5.827s
     CGroup: /system.slice/lfd.service
             └─10371 "lfd - sleeping"

Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.

Step 3: Add the following line in the csf.allow file to allow port for the particular IP

[root@Linuxhelp ~]# vi /etc/csf/csf.allow
tcp|in|d=3306|s=IP_Address

Step 4: Search the /TCP_IN in csf.conf file and add the port in that line by using the below command

[root@Linuxhelp ~]# vi /etc/csf/csf.conf
TCP_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,3306"

Step 5: Apply changes to restart the firewall rules by using the below command

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0  
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
DENYIN  all opt    in !lo out *  ::/0  -> ::/0  
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0  
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading csf.allow (IPv4)
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 6: Restart the CSF and IFD services by using the below command

[root@Linuxhelp ~]# systemctl restart csf lfd

Conclusion

We have reached the end of this article. In this guide, we have walked you through the steps required to grant port based access in CSF on Rocky Linux 9.2. Your feedback is much welcome.

Tag : Linux CSF (ConfigServer Security & Firewall) TCP UDP
FAQ
Q
What other features does CSF offer for server security?
A
CSF provides additional security features, including IP whitelisting, blacklisting, connection tracking, and more, to enhance server protection.
Q
How can I verify that the rules are correctly applied?
A
You can use the command csf -s to check the CSF status and review the rules you've configured.
Q
Can I specify a range of ports instead of individual ones?
A
Yes, you can specify port ranges in the CSF configuration file. For example, TCP_IN = "3000:4000" permits traffic on all TCP ports from 3000 to 4000.
Q
Where can I find the CSF configuration file?
A
The CSF configuration file is usually located at /etc/csf/csf.conf.
Q
What is CSF, and why is it used for port-based access?
A
CSF, or ConfigServer Security & Firewall, is a firewall management tool for Linux servers. It's used to control and configure access to specific network ports, enhancing server security.