One of the critical aspects of securing a server is controlling access to its ports, which act as gateways for data transmission. ConfigServer Security & Firewall (CSF) is a popular and advanced firewall solution for Linux servers that provides robust security features. Among its many capabilities, CSF allows administrators to fine-tune port access based on specific IP addresses, enhancing security by ensuring only trusted sources can connect to designated ports.
In this tutorial, we will guide you through the steps to allow port access to a specific IP address using CSF Firewall. Whether you need to grant access to a remote employee, a trusted service provider, or another server in your infrastructure, this guide will help you configure your firewall settings with precision and confidence. By the end of this tutorial, you will have a solid understanding of how to use CSF to manage port access securely and effectively.
Prerequisite
- A Linux server with root access
- CSF Firewall installed
Configuring Port Access in CSF
Based on CSF documentation, you can add more complex port and IP filters to the /etc/csf/csf.allow file (to allow access) or the /etc/csf/csf.deny file (to deny access).
Writing an Allow Rule in CSF
The following explains how to write the advanced allow rule in the /etc/csf/csf.allow file.
The rules consist of four essential parts separated by a pipe |. These parts are:
- Protocol (TCP or UDP)
- Direction (IN/OUT) for incoming or outgoing connections
- Port (source
s=or destinationd=) - IP Address (source or destination IP)
Example Rules
Example 1: Allow Access to TCP Port 21 from source IP Address 192.168.1.50
To allow access to the destination TCP port 21 on your server only from the source IP address 192.168.1.50, you would add the following line to /etc/csf/csf.allow:
tcp|in|d=21|s=192.168.1.50
- Protocol: TCP
- Direction: IN (incoming connection)
- Port: Destination port 21
d=21 - IP Address: Source IP 192.168.1.50
In the port section, we used d= for the destination port.
In the IP section we used s= for the source IP address (client IP).
In the above rule, we set the protocol to TCP in the first section, direction (IN) to allow incoming connection in the 2nd section, destination port (d=21) to allow connection to port 21 in the 3rd section, and source IP or client IP (s=192.168.1.50) in the 4th section.
Example 2: Allow Access to TCP Ports 80 and 443 from source IP Address 192.168.1.70
Let's write another rule to allow access to TCP ports 80 and 443 from the IP address 192.168.1.70, add the following line to /etc/csf/csf.allow:
tcp|in|d=80,443|s=192.168.1.70In this rule, we added two ports (80 and 443) to the destination port section d=80,443.
Simplified Rules
By default, CSF assumes the protocol is TCP and the connection direction is IN. Therefore, you can simplify the previous rules by omitting the first two parts:
d=21|s=192.168.1.50and
d=80,443|s=192.168.1.70
In these two examples, we omitted the first two sections of connection protocol and direction and started directly with the destination port.
ICMP / PING
You can allow or deny ping from a specific IP address (192.168.1.80) by adding the following rule to /etc/csf/csf.allow to Allow or /etc/csf/csf.deny to Deny:
icmp|in|d=ping|s=192.168.1.80
- Protocol: ICMP
- Direction: IN (incoming connection)
- Port: Destination is Ping
- IP Address: Source IP 192.168.1.80
Restart CSF
Don't forget to restart CSF firewall to apply the changes
csf -r
