• Categories
    Category
  • Categories
    Category
  • News
  • Tutorials
  • Forums
  • Tags
  • Users
Tutorial Comments FAQ Related Articles

How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

  • 00:39 cat /etc/os-release
  • 01:00 systemctl status csf lfd
  • 01:23 vim /etc/csf/csf.allow
  • 02:20 vim /etc/csf/csf.conf
  • 03:09 csf -r
  • 03:22 systemctl restart csf lfd
7681

To Grant Port Based Access In CSF (TCP,UDP) On Rocky Linux 9.2

Introduction

• ConfigServer Security & Firewall (CSF) is a powerful tool for managing the security of Linux servers.

• Granting port-based access in CSF involves configuring rules to control traffic on specific TCP and UDP ports.

• This introductory process includes editing the CSF configuration file, specifying the desired ports, and applying the rules to enhance server security and network management.

Procedure

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Step 2: Check the status of the CSF and IFD by using the below command

[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 3 days ago
   Main PID: 10199 (code=exited, status=0/SUCCESS)
        CPU: 1.901s
Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-11-02 10:20:09 IST; 3 days ago
   Main PID: 10371 (lfd - sleeping)
      Tasks: 1 (limit: 22877)
     Memory: 261.9M
        CPU: 1min 5.827s
     CGroup: /system.slice/lfd.service
             └─10371 "lfd - sleeping"

Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.

Step 3: Add the following line in the csf.allow file to allow port for the particular IP

[root@Linuxhelp ~]# vi /etc/csf/csf.allow
tcp|in|d=3306|s=IP_Address

Step 4: Search the /TCP_IN in csf.conf file and add the port in that line by using the below command

[root@Linuxhelp ~]# vi /etc/csf/csf.conf
TCP_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,3306"

Step 5: Apply changes to restart the firewall rules by using the below command

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0  
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
DENYIN  all opt    in !lo out *  ::/0  -> ::/0  
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0  
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0  
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading csf.allow (IPv4)
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 6: Restart the CSF and IFD services by using the below command

[root@Linuxhelp ~]# systemctl restart csf lfd

Conclusion

We have reached the end of this article. In this guide, we have walked you through the steps required to grant port based access in CSF on Rocky Linux 9.2. Your feedback is much welcome.

Tags:
michael
Author: 

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

Q

What is CSF, and why is it used for port-based access?

A

CSF, or ConfigServer Security & Firewall, is a firewall management tool for Linux servers. It's used to control and configure access to specific network ports, enhancing server security.

Q

Where can I find the CSF configuration file?

A

The CSF configuration file is usually located at /etc/csf/csf.conf.

Q

Can I specify a range of ports instead of individual ones?

A

Yes, you can specify port ranges in the CSF configuration file. For example, TCP_IN = "3000:4000" permits traffic on all TCP ports from 3000 to 4000.

Q

How can I verify that the rules are correctly applied?

A

You can use the command csf -s to check the CSF status and review the rules you've configured.

Q

What other features does CSF offer for server security?

A

CSF provides additional security features, including IP whitelisting, blacklisting, connection tracking, and more, to enhance server protection.

Related Tutorials in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

Related Tutorials in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

How to install Xrdp Server (Remote Desktop) on Oracle Linux 8.5
How to install Xrdp Server (Remote Desktop) on Oracle Linux 8.5
Oct 17, 2022
How to install and update OpenSSL on Debian 11.3
How to install and update OpenSSL on Debian 11.3
Oct 21, 2022
How to Install and Configure Mega in Linux
How to Install and Configure Mega in Linux
Jul 19, 2016
How to use Aureport command on Linux
How to use Aureport command on Linux
Nov 28, 2017
How to install Development tools on Linux
How to install Development tools on Linux
Jun 12, 2018
How to Install mod_ssl and SSL certificate on Oracle Linux
How to Install mod_ssl and SSL certificate on Oracle Linux
Dec 30, 2021
How to install Nextcloud on Ubuntu 22.04 version
How to install Nextcloud on Ubuntu 22.04 version
Jun 23, 2023
How to create and setup LUNs using LVM
How to create and setup LUNs using LVM
Jun 1, 2016

Related Forums in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

Related Forums in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

Linux
jayce class=
shasum command not found
May 5, 2017
Linux
stephan class=
How to list all samba users
Jan 12, 2018
pv command
muhammad class=
pvcreate command not found error
May 9, 2017
Linux
henry class=
Starting NFS daemon: rpc.nfsd: writing fd to kernel failed: errno 111 (Connection refused)
Apr 25, 2017
ifconfig command
jackbrookes class=
what is the location of the ifconfig program on your machine?
Jan 4, 2018
Linux
baseer class=
single command to apply setfacl for multiple user at a time
Jan 23, 2018
Linux
beulah class=
What does mean by 0 0 value in fstab file
Jan 2, 2018
CentOS
mason class=
Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)
Nov 20, 2018

Related News in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

Related News in How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2

Anbox, the Android-to-Linux tool the developers have been waiting for
Anbox, the Android-to-Linux tool the developers have been waiting for
Apr 17, 2017
Linus Torvalds stops signing Linux kernel RC tarballs
Linus Torvalds stops signing Linux kernel RC tarballs
May 17, 2017
Capsule8 Launches Linux-Based Container Security Platform
Capsule8 Launches Linux-Based Container Security Platform
Feb 14, 2017
Symantec updates Management console product
Symantec updates Management console product
Nov 22, 2017
Latest Linux driver release feature seven AMD Vega
Latest Linux driver release feature seven AMD Vega
Mar 23, 2017
A Newer and a Faster Window Manager for Tina (Linux Mint 19.2)
A Newer and a Faster Window Manager for Tina (Linux Mint 19.2)
Apr 9, 2019
Microsoft makes its Azure App service now available on Linux Systems
Microsoft makes its Azure App service now available on Linux Systems
Sep 7, 2017
Docker friendly Alpine Linux gets hardened Node.js
Docker friendly Alpine Linux gets hardened Node.js
Apr 19, 2017
Back To Top!
Rank
User
Points

Top Contributers

userNamenaveelansari
135850

Top Contributers

userNameayanbhatti
92510

Top Contributers

userNamehamzaahmed
32150

Top Contributers

1
userNamelinuxhelp
31040

Top Contributers

userNamemuhammadali
24500
Can you help Isaiah ?
What is the use of SUID & SGID commands

How to set the special permissions to the files and folders using SUID and SGID commands...

Networking
  • Routing
  • trunk
  • Netmask
  • Packet Capture
  • domain
  • HTTP Proxy
Server Setup
  • NFS
  • KVM
  • Memory
  • Sendmail
  • WebDAV
  • LXC
Shell Commands
  • Cloud commander
  • Command line archive tools
  • last command
  • Shell
  • terminal
  • Throttle
Desktop Application
  • Linux app
  • Pithos
  • Retrospect
  • Scribe
  • TortoiseHg
  • 4Images
Monitoring Tool
  • Monit
  • Apache Server Monitoring
  • EtherApe 
  • Arpwatch Tool
  • Auditd
  • Barman
Web Application
  • Nutch
  • Amazon VPC
  • FarmWarDeployer
  • Rukovoditel
  • Mirror site
  • Chef
Contact Us | Terms of Use| Privacy Policy| Disclaimer
© 2025 LinuxHelp.com All rights reserved. Linux™ is the registered trademark of Linus Torvalds. This site is not affiliated with linus torvalds in any way.