Port Settings

-------

IPv4 Port Settings

SPI - LF_SPI

Some kernel/iptables setups do not perform stateful connection tracking correctly (typically some virtual servers or custom compiled kernels) , so a SPI firewall will not function correctly. If this happens, LF_SPI can be set to 0 to reconfigure csf as a static firewall. As connection tracking will not be configured, applications that rely on it will not function unless all outgoing ports are opened. Therefore, all outgoing connections will be allowed once all other tests have completed. So TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.

Default: 1 Range: 0-1

TCP in - TCP_IN

Allow incoming TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8447,8880,30000:35000

TCP out - TCP_OUT

Allow outgoing TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,22,25,43,53,80,110,113,143,443,465,587,993,995,2703,5224,8443,8447,8880

UDP in - UDP_IN

Allow incoming UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,53,24441

UDP out - UDP_OUT

Allow outgoing UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To allow outgoing traceroute add 33434:33523 to this list.

Default: 20,21,53,113,123,873,6277,24441,33434:33523

ICMP in - ICMP_IN

Allow incoming PING.

Default: 1 Range: 0-1

ICMP in rate - ICMP_IN_RATE

Set the incoming ICMP packet rate per IP address. To disable this option set to 0.

Default: 1/s

ICMP out - ICMP_OUT

Allow outgoing PING.

Default: 1 Range: 0-1

ICMP out rate - ICMP_OUT_RATE

Set the outgoing ICMP packet rate per IP address. To disable this option set to 0

Default: 0

IPv6 Port Settings

IPv6 - IPV6

Enable or disable IPV6 support.

Default: 1 Range: 0-1

IPv6 ICMP strict - IPV6_ICMP_STRICT

IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 traffic in the INPUT and OUTPUT chains. However, this could increase the risk of icmpv6 attacks. To restrict incoming icmpv6, set to 1 but may break some connection types.

Default: 0 Range: 0-1

IPv6 SPI - IPV6_SPI

Enable or disable IPV6 stateful packet inspection. Do not enable on pre v2.6.20 kernels as they do not perform stateful connection tracking.

Default: 1 Range: 0-1

TCP6 in - TCP6_IN

Allow incoming IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8447,8880,30000:35000

TCP6 out - TCP6_OUT

Allow outgoing IPv6 TCP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,22,25,43,53,80,110,113,143,443,465,587,993,995,2703,5224,8443,8447,8880

UDP6 in - UDP6_IN

Allow incoming IPv6 UDP ports (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000).

Default: 20,21,53,24441

UDP6 out - UDP6_OUT

Allow outgoing IPv6 UDP ports. (comma separated). Port ranges can be specified using a colon. (e.g. 30000:35000). To allow outgoing traceroute add 33434:33523 to this list.

Default: 20,21,53,113,123,873,6277,24441,33434:33523

--------------------------------------------------------------------------

SSHD ports - PORTS_sshd

Port numbers for sshd.

Default: 22

FTPD ports - PORTS_ftpd

Port numbers for ftpd.

Default: 20,21

SMTPAUTH ports - PORTS_smtpauth

Port numbers for smtpauth.

Default: 25,465,587

POP3D ports - PORTS_pop3d

Port numbers for pop3d.

Default: 110,995

IMAPD ports - PORTS_imapd

Port numbers for imapd.

Default: 143,993

Htpasswd ports - PORTS_htpasswd

Port numbers for htpasswd.

Default: 80,443,7080,7081

BIND ports - PORTS_bind

Port numbers for bind.

Default: 53;udp,53;tcp

------