How to grant Port (TCP, UDP) based access in CSF on Debian 12

To Grant CSF Port (TCP, UDP) Based Access On Debian 12

Introduction

A port is a process-specific or an application-specific software construct serving as a communication endpoint. It is used by the transport layer protocols of the Internet Protocols suite such as UDP and TCP. The term port is also used in hardware devices. They are the physical setup of the systems to get connected with other hardware media.

Procedure Steps

Step 1: Check the OS version by using the below command.

root@linuxhelp:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Step 2: Make the ssh connection to check the port by using the below command.

root@linuxhelp:~# ssh linuxhelp@192.168.6.131 -p411
ssh: connect to host 192.168.6.131 port 411: Connection refused

Step 3: Goto another tab and goto the following location by using the below command.

root@linuxhelp:~# cd /etc/csf/

Step 4: Open and edit csf.conf file to make the port entry by using the below command.

root@linuxhelp:/etc/csf# vim csf.conf
TCP_OUT = "411,20,21,22,25,53,853,80,110,113,443,587,993,995"

Step 5: Reload and apply the changes by using following command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in lo out *  ::/0  -> ::/0  
ACCEPT  all opt -- in * out lo  ::/0  -> ::/0  
LOGDROPOUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt -- in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-03-07 19:20:39 IST; 14ms ago
    Process: 4935 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 4949 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.3M
        CPU: 350ms
     CGroup: /system.slice/lfd.service
             └─4949 "lfd - starting"

Mar 07 19:20:38 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Mar 07 19:20:39 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 6: Goto another tab and make the SSH connection by using the below command.

root@linuxhelp:~# ssh linuxhelp@192.168.6.131 -p411
linuxhelp@192.168.6.131's password: 
Linux linuxhelp 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Dec 16 23:24:30 2023 from 192.168.6.102

Step 7: Again make SSH connection from the current machine to the CSF server by using the below command.

linuxhelp@linuxhelp:~$ ssh linuxhelp@192.168.6.121 -p311

Step 8: Goto the another tab and Open and edit the csf.conf file to make the csf server port entry by using the below command.

root@linuxhelp:/etc/csf# vim csf.conf
TCP_IN = "311,20,21,22,25,53,853,80,110,143,443,465,587,993,995,5060"

Step 9: Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in lo out *  ::/0  -> ::/0  
ACCEPT  all opt -- in * out lo  ::/0  -> ::/0  
LOGDROPOUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOGDROPIN  all opt -- in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt -- in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-03-07 19:22:09 IST; 12ms ago
    Process: 5202 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 5215 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.1M
        CPU: 304ms
     CGroup: /system.slice/lfd.service
             └─5215 "lfd - starting"

Mar 07 19:22:09 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Mar 07 19:22:09 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 10: Goto another tab and make the SSH connection by using the below command.

linuxhelp@linuxhelp:~$ ssh linuxhelp@192.168.6.121 -p311
The authenticity of host '[192.168.6.121]:311 ([192.168.6.121]:311)' can't be established.
ED25519 key fingerprint is SHA256:gQq2yIGImDIMNAxtrHhNb1xu9oysI8BrceBGiKKS36g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.6.121]:311' (ED25519) to the list of known hosts.
linuxhelp@192.168.6.121's password: 
Linux linuxhelp 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar  7 12:21:27 2024 from 192.168.6.131

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to grant the CSF Port (TCP, UDP) based access on Debian 12. Your feedback is much welcome.

Tag : debian CSF (ConfigServer Security & Firewall) TCP
FAQ
Q
What are the best practices for granting the CSF port access?
A
Grant only the necessary ports: Avoid opening unnecessary ports to minimize the attack surface.
Use specific IP addresses (optional): If possible, restrict access to specific IP addresses or ranges for enhanced security.
Document your changes: Keep a record of the ports you've opened and why, to aid in future troubleshooting.
Consider using CSF's temporary access features: For temporary access needs, CSF offers mechanisms like temporary rule additions or using the csf -x command for one-time access.
Q
How to restart the CSF after making changes?
A
After modifying the CSF configuration file, it's crucial to restart the CSF for the changes to take effect. The command to do this typically varies depending on your Linux distribution, but it's often:
csf -r
Q
How to grant the CSF port access (TCP or UDP)?
A
CSF uses two primary methods to grant port access:
TCP_IN and TCP_OUT rules for TCP traffic (incoming and outgoing, respectively).
UDP_IN and UDP_OUT rules for UDP traffic (incoming and outgoing, respectively).
You'll need to edit the CSF configuration file (/etc/csf/csf.conf) and add rules following the format:
Port [port number] Protocol [tcp|udp] Comment "Optional comment describing the rule"
For example, to allow SSH access (TCP port 22):
Port 22 tcp In SSH access
Q
Why do we grant the CSF port access?
A
Granting CSF port access allows specific applications or services to communicate through the firewall. This is necessary for:
Remote access tools like SSH for secure system administration.
Web servers (TCP ports 80, 443) to deliver content to clients.
Game servers (TCP/UDP ports as needed by the game) to facilitate online play.
Any other service that requires network connectivity.
Q
What is CSF (ConfigServer Firewall)?
A
CSF is a firewall application designed for Linux systems that offers robust security features and granular control over network traffic.