How to Grant Port-Based Access in CSF (TCP, UDP) on Rocky Linux 9.2
To Grant Port Based Access In CSF (TCP,UDP) On Rocky Linux 9.2
Introduction
• ConfigServer Security & Firewall (CSF) is a powerful tool for managing the security of Linux servers.
• Granting port-based access in CSF involves configuring rules to control traffic on specific TCP and UDP ports.
• This introductory process includes editing the CSF configuration file, specifying the desired ports, and applying the rules to enhance server security and network management.
Procedure
Step 1: Check the OS version by using the below command
[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
Step 2: Check the status of the CSF and IFD by using the below command
[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
Active: active (exited) since Thu 2023-11-02 10:20:08 IST; 3 days ago
Main PID: 10199 (code=exited, status=0/SUCCESS)
CPU: 1.901s
Nov 02 10:20:08 Linuxhelp csf[10199]: ACCEPT all opt in * out lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv4)
Nov 02 10:20:08 Linuxhelp csf[10199]: csf: FASTSTART loading DNS (IPv6)
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp csf[10199]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Nov 02 10:20:08 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
Active: active (running) since Thu 2023-11-02 10:20:09 IST; 3 days ago
Main PID: 10371 (lfd - sleeping)
Tasks: 1 (limit: 22877)
Memory: 261.9M
CPU: 1min 5.827s
CGroup: /system.slice/lfd.service
└─10371 "lfd - sleeping"
Nov 02 10:20:08 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Nov 02 10:20:09 Linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
Step 3: Add the following line in the csf.allow file to allow port for the particular IP
[root@Linuxhelp ~]# vi /etc/csf/csf.allow
tcp|in|d=3306|s=IP_Address
Step 4: Search the /TCP_IN in csf.conf file and add the port in that line by using the below command
[root@Linuxhelp ~]# vi /etc/csf/csf.conf
TCP_IN = "20,21,22,25,53,853,80,110,143,443,465,587,993,995,3306"
Step 5: Apply changes to restart the firewall rules by using the below command
[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all opt in * out * ::/0 -> ::/0
REJECT all opt in * out * ::/0 -> ::/0 reject-with icmp6-port-unreachable
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt in !lo out * ::/0 -> ::/0
ALLOWOUT all opt in * out !lo ::/0 -> ::/0
ALLOWIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading csf.allow (IPv4)
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 6: Restart the CSF and IFD services by using the below command
[root@Linuxhelp ~]# systemctl restart csf lfd
Conclusion
We have reached the end of this article. In this guide, we have walked you through the steps required to grant port based access in CSF on Rocky Linux 9.2. Your feedback is much welcome.
Comments ( 0 )
No comments available