CSF not blocking port when removed from csf.conf

enkrypt

Verified User
Joined
Feb 3, 2011
Messages
38
I have removed VNC port 5901 from the csf.conf configuration file and executed a csf -f a csf -x and a csf -e to flush and restart CSF.

There is a vncserver running on port 5901 and when doing an nmap -p 5901 MYIP from a computer that is NOT in the csf.allow file I get a

5901/tcp open vnc-1

I then issued the following commands:

iptables -A INPUT -p tcp --dport 5901 -j DROP
systemctl restart iptables

Now when doing an nmap -p 5901 MYIP I get the following:

5901/tcp closed vnc-1
The vncserver is still listening - but now traffic is being blocked. Great, this is expected.

I would like to know why CSF is not blocking this port by default? It is my understanding that CSF will block all ports that are not set in the ALLOW INCOMING section of the csf.conf

Here is the output of csf -l:

Code:
    # csf -l
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp dpt:53
    2        0     0 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp dpt:53
    3        0     0 ACCEPT     tcp  --  !lo    *       8.8.4.4              0.0.0.0/0            tcp spt:53
    4        0     0 ACCEPT     udp  --  !lo    *       8.8.4.4              0.0.0.0/0            udp spt:53
    5        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0            tcp dpt:53
    6        0     0 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0            udp dpt:53
    7        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0            tcp spt:53
    8       15  1568 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0            udp spt:53
    9    11269  682K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    10      50  3627 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    11   11075  666K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    12   11063  666K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    13       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
    14       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
    15       1    48 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
    16       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
    17      17   884 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
    18       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
    19       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
    20       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
    21       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
    22       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
    23       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
    24       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
    25       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
    26       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8023
    27      14   800 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25565
    28       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8080
    29       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:64738
    30       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:25000:25002
    31       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8081
    32       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8888
    33       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:7777
    34       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
    35       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
    36       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
    37       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpts:25000:25003
    38       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:8081
    39       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:8888
    40       5   420 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
    41       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
    42       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    43       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    44       1    35 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.4.4              tcp dpt:53
    2        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.4.4              udp dpt:53
    3        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.4.4              tcp spt:53
    4        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.4.4              udp spt:53
    5        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8              tcp dpt:53
    6       15   968 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8              udp dpt:53
    7        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8              tcp spt:53
    8        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8              udp spt:53
    9    13429 8347K LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    10       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    11       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp dpt:53
    12       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            tcp spt:53
    13       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            udp spt:53
    14      50  3627 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    15   13116 8271K INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    16   13118 8275K ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    17       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
    18       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
    19       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
    20       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
    21       6   288 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
    22       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
    23       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:113
    24       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
    25       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
    26       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
    27       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
    28       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
    29       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8023
    30       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25565
    31       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8080
    32       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:64738
    33       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:25000:25003
    34       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8081
    35       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:8888
    36       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:7777
    37       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
    38       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
    39       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
    40       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:113
    41       5   380 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:123
    42       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpts:25000:25003
    43       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:8081
    44       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:8888
    45       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
    46       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
    47       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
    48       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3
    49     162 23019 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    
    Chain ALLOWIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  !lo    *       ** EDITED OUT **     0.0.0.0/0
    2      173 14448 ACCEPT     all  --  !lo    *       ** EDITED OUT **     0.0.0.0/0
    
    Chain ALLOWOUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            ** EDITED OUT **
    2      156 52520 ACCEPT     all  --  *      !lo     0.0.0.0/0            ** EDITED OUT **
    
    Chain DENYIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DROP       all  --  !lo    *       84.13.41.77          0.0.0.0/0
    2        0     0 DROP       all  --  !lo    *       115.239.228.14       0.0.0.0/0
    3        0     0 DROP       all  --  !lo    *       183.136.216.4        0.0.0.0/0
    4        0     0 DROP       all  --  !lo    *       61.174.51.223        0.0.0.0/0
    5        0     0 DROP       all  --  !lo    *       82.98.168.5          0.0.0.0/0
    6        0     0 DROP       all  --  !lo    *       218.2.0.133          0.0.0.0/0
    7        0     0 DROP       all  --  !lo    *       149.255.172.10       0.0.0.0/0
    8        0     0 DROP       all  --  !lo    *       175.139.182.66       0.0.0.0/0
    9        0     0 DROP       all  --  !lo    *       122.225.109.216      0.0.0.0/0
    10       0     0 DROP       all  --  !lo    *       115.239.228.9        0.0.0.0/0
    11       0     0 DROP       all  --  !lo    *       61.174.50.188        0.0.0.0/0
    12       0     0 DROP       all  --  !lo    *       115.239.228.6        0.0.0.0/0
    13       0     0 DROP       all  --  !lo    *       61.174.49.106        0.0.0.0/0
    14       0     0 DROP       all  --  !lo    *       122.225.109.126      0.0.0.0/0
    15       0     0 DROP       all  --  !lo    *       198.11.235.58        0.0.0.0/0
    16       0     0 DROP       all  --  !lo    *       168.235.156.205      0.0.0.0/0
    17       0     0 DROP       all  --  !lo    *       188.29.164.68        0.0.0.0/0
    18       0     0 DROP       all  --  !lo    *       115.231.223.170      0.0.0.0/0
    19       0     0 DROP       all  --  !lo    *       188.29.164.12        0.0.0.0/0
    20       0     0 DROP       all  --  !lo    *       92.29.74.30          0.0.0.0/0
    21       0     0 DROP       all  --  !lo    *       72.94.20.202         0.0.0.0/0
    22       0     0 DROP       all  --  !lo    *       188.29.165.91        0.0.0.0/0
    23       0     0 DROP       all  --  !lo    *       188.29.164.127       0.0.0.0/0
    24       0     0 DROP       all  --  !lo    *       188.29.164.202       0.0.0.0/0
    25       0     0 DROP       all  --  !lo    *       188.29.165.62        0.0.0.0/0
    26       0     0 DROP       all  --  !lo    *       2.96.208.250         0.0.0.0/0
    27       0     0 DROP       all  --  !lo    *       188.29.164.170       0.0.0.0/0
    28       0     0 DROP       all  --  !lo    *       188.29.165.16        0.0.0.0/0
    29       0     0 DROP       all  --  !lo    *       58.137.224.98        0.0.0.0/0
    30       0     0 DROP       all  --  !lo    *       60.251.70.8          0.0.0.0/0
    31       0     0 DROP       all  --  !lo    *       41.193.53.71         0.0.0.0/0
    32       0     0 DROP       all  --  !lo    *       59.120.39.44         0.0.0.0/0
    33       0     0 DROP       all  --  !lo    *       80.153.119.29        0.0.0.0/0
    34       0     0 DROP       all  --  !lo    *       109.190.67.128       0.0.0.0/0
    35       0     0 DROP       all  --  !lo    *       188.29.164.216       0.0.0.0/0
    36       0     0 DROP       all  --  !lo    *       41.224.253.236       0.0.0.0/0
    37       0     0 DROP       all  --  !lo    *       81.248.108.219       0.0.0.0/0
    38       0     0 DROP       all  --  !lo    *       188.29.164.110       0.0.0.0/0
    39       0     0 DROP       all  --  !lo    *       188.29.165.232       0.0.0.0/0
    40       0     0 DROP       all  --  !lo    *       81.134.7.168         0.0.0.0/0
    41       0     0 DROP       all  --  !lo    *       188.29.164.171       0.0.0.0/0
    42       0     0 DROP       all  --  !lo    *       61.40.192.56         0.0.0.0/0
    43       0     0 DROP       all  --  !lo    *       173.208.194.38       0.0.0.0/0
    44       0     0 DROP       all  --  !lo    *       188.29.164.100       0.0.0.0/0
    45       0     0 DROP       all  --  !lo    *       71.94.237.138        0.0.0.0/0
    46       0     0 DROP       all  --  !lo    *       188.29.164.64        0.0.0.0/0
    47       0     0 DROP       all  --  !lo    *       93.174.93.181        0.0.0.0/0
    48       0     0 DROP       all  --  !lo    *       188.29.164.200       0.0.0.0/0
    49       0     0 DROP       all  --  !lo    *       195.138.249.11       0.0.0.0/0
    50       0     0 DROP       all  --  !lo    *       69.73.180.238        0.0.0.0/0
    51       0     0 DROP       all  --  !lo    *       74.208.8.229         0.0.0.0/0
    52       3   144 DROP       all  --  !lo    *       74.208.43.32         0.0.0.0/0
    53       3   176 DROP       all  --  !lo    *       148.245.192.36       0.0.0.0/0
    54       0     0 DROP       all  --  !lo    *       177.139.215.107      0.0.0.0/0
    55       0     0 DROP       all  --  !lo    *       1.23.26.27           0.0.0.0/0
    56       0     0 DROP       all  --  !lo    *       207.109.141.56       0.0.0.0/0
    
    Chain DENYOUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            84.13.41.77
    2        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            115.239.228.14
    3        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            183.136.216.4
    4        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            61.174.51.223
    5        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            82.98.168.5
    6        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            218.2.0.133
    7        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            149.255.172.10
    8        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            175.139.182.66
    9        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            122.225.109.216
    10       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            115.239.228.9
    11       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            61.174.50.188
    12       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            115.239.228.6
    13       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            61.174.49.106
    14       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            122.225.109.126
    15       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            198.11.235.58
    16       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            168.235.156.205
    17       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.68
    18       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            115.231.223.170
    19       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.12
    20       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            92.29.74.30
    21       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            72.94.20.202
    22       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.165.91
    23       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.127
    24       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.202
    25       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.165.62
    26       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            2.96.208.250
    27       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.170
    28       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.165.16
    29       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            58.137.224.98
    30       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            60.251.70.8
    31       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            41.193.53.71
    32       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            59.120.39.44
    33       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            80.153.119.29
    34       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            109.190.67.128
    35       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.216
    36       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            41.224.253.236
    37       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            81.248.108.219
    38       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.110
    39       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.165.232
    40       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            81.134.7.168
    41       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.171
    42       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            61.40.192.56
    43       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            173.208.194.38
    44       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.100
    45       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            71.94.237.138
    46       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.64
    47       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            93.174.93.181
    48       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            188.29.164.200
    49       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            195.138.249.11
    50       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            69.73.180.238
    51       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            74.208.8.229
    52       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            74.208.43.32
    53       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            148.245.192.36
    54       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            177.139.215.107
    55       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            1.23.26.27
    56       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            207.109.141.56
    
    Chain INVALID (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    2        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    3        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    4        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    5        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    6        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x05/0x05
    7        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
    8        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x18/0x08
    9        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x30/0x20
    10       0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW
    
    Chain INVDROP (10 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOCALINPUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1    11269  682K ALLOWIN    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    2    11096  668K DENYIN     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOCALOUTPUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1    13429 8347K ALLOWOUT   all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    2    13273 8295K DENYOUT    all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    
    Chain LOGDROPIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    2        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:68
    4        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    5        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111
    6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:111
    7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
    8        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:113
    9        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:135:139
    10       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:135:139
    11       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    12       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:445
    13       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
    14       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    15       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:513
    16       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:513
    17       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:520
    18       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:520
    19       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
    20       1    35 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
    21       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
    22       1    35 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOGDROPOUT (57 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1       54  2592 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
    2       59 10818 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
    3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
    4      162 23019 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain PREROUTING (policy ACCEPT 47 packets, 2619 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain INPUT (policy ACCEPT 40 packets, 2264 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 182 packets, 24283 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING (policy ACCEPT 20 packets, 1264 bytes)
    num   pkts bytes target     prot opt in     out     source               destination

An explanation as to why CSF is behaving like this would be greatly appreciated.
 
Try csf -r to restart CSF, that is also the default way to restart CSF.
Just to be sure you can also restart lfd, however this should be done via the init script /etc/init.d/lfd restart.


I would like to know why CSF is not blocking this port by default? It is my understanding that CSF will block all ports that are not set in the ALLOW INCOMING section of the csf.conf
CSF also won't block local traffic and Chain input traffic.
Since your iptables command blocks all traffic to the VNC port no matter what, and blocked your pc after that, could it be your pc was in the same network as your VNC server (so your test pc was local to your server)?
If yes, then you have your cause for not blocking.
 
Try csf -r to restart CSF, that is also the default way to restart CSF.
Just to be sure you can also restart lfd, however this should be done via the init script /etc/init.d/lfd restart.



CSF also won't block local traffic and Chain input traffic.
Since your iptables command blocks all traffic to the VNC port no matter what, and blocked your pc after that, could it be your pc was in the same network as your VNC server (so your test pc was local to your server)?
If yes, then you have your cause for not blocking.

No, that is why I am confused. My server is located in Canada and my computer is located in the US. My computer is NOT in the csf.allow file and NOT in the csf.ignore file - My computer is in a completely different network than that of the server.

So am I right in assuming that CSF should be issuing the correct IP tables rule to block the ports? For instance, I want port 20, 21 and 22 blocked as I don't use those ports. Port 22 shows CLOSED because nothing is listening on it, however when I tell SSHD to listen on port 22 it shows as OPEN - Even though port 22 is NOT in the allowed ports in the csf.conf file. Same goes with port 20 and 21. I would like to BLOCK these ports from being open even if something is listening on them. Which I can do by issuing the IPTables command above, but I thought CSF was suppose to do this by default.

Any ideas? Maybe a re-install of CSF? Maybe it's a bug with CentOS 7 and CSF+LFD?
 
So am I right in assuming that CSF should be issuing the correct IP tables rule to block the ports?
No, that's incorrect. There will be no lines issued to block ports.
All ports are blocked by default as you can see from the iptables policy:
Code:
Chain INPUT (policy DROP
So all incoming ports are dropped by default. The csf.conf makes it possible to open ports. Ports configured to be opened, will have CSF create a line to open the port.

That's why I'm thinking the problem might not be a CSF problem, because CSF only opens ports, it does not close ports (because they are closed by default). And yes it blocks banned ip's.

Any ideas? Maybe a re-install of CSF? Maybe it's a bug with CentOS 7 and CSF+LFD?
It might be that Centos has some iptables running by default. I've got this impression especially because things get blocked when you issue a manual iptables drop command. That should never be necessary on a Linux machine.

Instread of CSF-L try the command:
Code:
iptables -L
and look if there are any differences.

After that, to further investigate, you could best flush and stop CSF from running and stop it from running at reboot.
Reboot your server and do the iptables -L command. See what it's saying.
 
No, that's incorrect. There will be no lines issued to block ports.
All ports are blocked by default as you can see from the iptables policy:
Code:
Chain INPUT (policy DROP
So all incoming ports are dropped by default. The csf.conf makes it possible to open ports. Ports configured to be opened, will have CSF create a line to open the port.
Yeah that's what I meant - all ports should be disabled by default - I guess I just assumed CSF issued the DROP policy, but from what you are saying I suppose that it's default with IPTables.

That's why I'm thinking the problem might not be a CSF problem, because CSF only opens ports, it does not close ports (because they are closed by default). And yes it blocks banned ip's.


It might be that Centos has some iptables running by default. I've got this impression especially because things get blocked when you issue a manual iptables drop command. That should never be necessary on a Linux machine.

Instread of CSF-L try the command:
Code:
iptables -L
and look if there are any differences.

After that, to further investigate, you could best flush and stop CSF from running and stop it from running at reboot.
Reboot your server and do the iptables -L command. See what it's saying.

Hmm, curious - I thought that CSF -L would be the same as IPTables -L and that is not the case. When issuing the IPTables -L I see the following lines:
Code:
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere

Could that be the problem? I am trying to learn more about the way iptables works, the rules and how to read the output. From how _I_ read that it would appear that it is accepting all protocols from anywhere to anywhere. However when doing an iptables -vL I see that it is a part of lo which is my local interface, so it shouldn't matter, correct?

I am still confused as to why ports are not blocked by default and that anytime something listens on a port it is able to be seen from the outside. I want ALL ports to be blocked UNLESS I say they can be open in the CSF config file.

How would I remove the rules IPTables has and only let CSF manage it. I assumed that an csf -f would have done that, but after you explaining things to me, I assume that csf -f and iptables -f do two different things.

In case this will help here is the output of iptables -L


Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:EtherNet/IP-1
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:8023
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:64738
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpts:icl-twobase1:icl-twobase3
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ddi-tcp-1
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:cbt
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpts:icl-twobase1:icl-twobase4
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:tproxy
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ddi-udp-1
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPIN  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             google-public-dns-b.google.com  tcp dpt:domain
ACCEPT     udp  --  anywhere             google-public-dns-b.google.com  udp dpt:domain
ACCEPT     tcp  --  anywhere             google-public-dns-b.google.com  tcp spt:domain
ACCEPT     udp  --  anywhere             google-public-dns-b.google.com  udp spt:domain
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com  tcp dpt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com  udp dpt:domain
ACCEPT     tcp  --  anywhere             google-public-dns-a.google.com  tcp spt:domain
ACCEPT     udp  --  anywhere             google-public-dns-a.google.com  udp spt:domain
LOCALOUTPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:EtherNet/IP-1
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:8023
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:64738
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpts:icl-twobase1:icl-twobase4
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ddi-tcp-1
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:cbt
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:auth
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpts:icl-twobase1:icl-twobase4
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:tproxy
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW udp dpt:ddi-udp-1
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPOUT  all  --  anywhere             anywhere

Chain ALLOWIN (1 references)
target     prot opt source               destination
ACCEPT     all  --  ***REMOVED***        anywhere
ACCEPT     all  --  ***REMOVED***        anywhere
ACCEPT     all  --  ***REMOVED***        anywhere
ACCEPT     all  --  ***REMOVED***        anywhere
ACCEPT     all  --  ***REMOVED***        anywhere

Chain ALLOWOUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             ***REMOVED***
ACCEPT     all  --  anywhere             ***REMOVED***
ACCEPT     all  --  anywhere             ***REMOVED***
ACCEPT     all  --  anywhere             ***REMOVED***
ACCEPT     all  --  anywhere             ***REMOVED***

Chain DENYIN (1 references)
target     prot opt source               destination
DROP       all  --  host-84-13-41-77.opaltelecom.net  anywhere
DROP       all  --  115.239.228.14       anywhere
DROP       all  --  183.136.216.4        anywhere
DROP       all  --  223.51.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere
DROP       all  --  vls84.dinaserver.com  anywhere
DROP       all  --  218.2.0.133          anywhere
DROP       all  --  149.255.172.10       anywhere
DROP       all  --  175.139.182.66       anywhere
DROP       all  --  122.225.109.216      anywhere
DROP       all  --  115.239.228.9        anywhere
DROP       all  --  188.50.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere
DROP       all  --  115.239.228.6        anywhere
DROP       all  --  106.49.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere
DROP       all  --  122.225.109.126      anywhere
DROP       all  --  198.11.235.58-static.reverse.softlayer.com  anywhere
DROP       all  --  c1113026-20616.cloudatcost.com  anywhere
DROP       all  --  188.29.164.68.threembb.co.uk  anywhere
DROP       all  --  115.231.223.170      anywhere
DROP       all  --  188.29.164.12.threembb.co.uk  anywhere
DROP       all  --  host-92-29-74-30.as13285.net  anywhere
DROP       all  --  static-72-94-20-202.phlapa.fios.verizon.net  anywhere
DROP       all  --  188.29.165.91.threembb.co.uk  anywhere
DROP       all  --  188.29.164.127.threembb.co.uk  anywhere
DROP       all  --  188.29.164.202.threembb.co.uk  anywhere
DROP       all  --  188.29.165.62.threembb.co.uk  anywhere
DROP       all  --  host-2-96-208-250.as13285.net  anywhere
DROP       all  --  188.29.164.170.threembb.co.uk  anywhere
DROP       all  --  188.29.165.16.threembb.co.uk  anywhere
DROP       all  --  58.137.224.98        anywhere
DROP       all  --  60-251-70-8.HINET-IP.hinet.net  anywhere
DROP       all  --  41.193.53.71         anywhere
DROP       all  --  59-120-39-44.HINET-IP.hinet.net  anywhere
DROP       all  --  p5099771d.dip0.t-ipconnect.de  anywhere
DROP       all  --  128-67-190-109.dsl.ovh.fr  anywhere
DROP       all  --  188.29.164.216.threembb.co.uk  anywhere
DROP       all  --  41.224.253.236       anywhere
DROP       all  --  LLamentin-656-6-219.w81-248.abo.wanadoo.fr  anywhere
DROP       all  --  188.29.164.110.threembb.co.uk  anywhere
DROP       all  --  188.29.165.232.threembb.co.uk  anywhere
DROP       all  --  host81-134-7-168.in-addr.btopenworld.com  anywhere
DROP       all  --  188.29.164.171.threembb.co.uk  anywhere
DROP       all  --  kr-down.enter-tech.com  anywhere
DROP       all  --  173.208.194.38       anywhere
DROP       all  --  188.29.164.100.threembb.co.uk  anywhere
DROP       all  --  71-94-237-138.dhcp.mdfd.or.charter.com  anywhere
DROP       all  --  188.29.164.64.threembb.co.uk  anywhere
DROP       all  --  hosted-by.seedhost.net  anywhere
DROP       all  --  188.29.164.200.threembb.co.uk  anywhere
DROP       all  --  195.138.249.11       anywhere
DROP       all  --  static-238-180-73-69.nocdirect.com  anywhere
DROP       all  --  s15424873.onlinehome-server.com  anywhere
DROP       all  --  henrymultimedia.com  anywhere
DROP       all  --  na-192-36.static.avantel.net.mx  anywhere
DROP       all  --  177-139-215-107.dsl.telesp.net.br  anywhere
DROP       all  --  1.23.26.27           anywhere
DROP       all  --  207.109.141.56       anywhere
DROP       all  --  37.90.129.177.interhnet.com.br  anywhere
DROP       all  --  190.107.244.151      anywhere
DROP       all  --  home.lppals.com      anywhere
DROP       all  --  213.175.205.68       anywhere
DROP       all  --  77-254-135-91.adsl.inetia.pl  anywhere
DROP       all  --  193.226.245.10.pool.invitel.hu  anywhere
DROP       all  --  p54A96669.dip0.t-ipconnect.de  anywhere

Chain DENYOUT (1 references)
target     prot opt source               destination
LOGDROPOUT  all  --  anywhere             host-84-13-41-77.opaltelecom.net
LOGDROPOUT  all  --  anywhere             115.239.228.14
LOGDROPOUT  all  --  anywhere             183.136.216.4
LOGDROPOUT  all  --  anywhere             223.51.174.61.dial.wz.zj.dynamic.163data.com.cn
LOGDROPOUT  all  --  anywhere             vls84.dinaserver.com
LOGDROPOUT  all  --  anywhere             218.2.0.133
LOGDROPOUT  all  --  anywhere             149.255.172.10
LOGDROPOUT  all  --  anywhere             175.139.182.66
LOGDROPOUT  all  --  anywhere             122.225.109.216
LOGDROPOUT  all  --  anywhere             115.239.228.9
LOGDROPOUT  all  --  anywhere             188.50.174.61.dial.wz.zj.dynamic.163data.com.cn
LOGDROPOUT  all  --  anywhere             115.239.228.6
LOGDROPOUT  all  --  anywhere             106.49.174.61.dial.wz.zj.dynamic.163data.com.cn
LOGDROPOUT  all  --  anywhere             122.225.109.126
LOGDROPOUT  all  --  anywhere             198.11.235.58-static.reverse.softlayer.com
LOGDROPOUT  all  --  anywhere             c1113026-20616.cloudatcost.com
LOGDROPOUT  all  --  anywhere             188.29.164.68.threembb.co.uk
LOGDROPOUT  all  --  anywhere             115.231.223.170
LOGDROPOUT  all  --  anywhere             188.29.164.12.threembb.co.uk
LOGDROPOUT  all  --  anywhere             host-92-29-74-30.as13285.net
LOGDROPOUT  all  --  anywhere             static-72-94-20-202.phlapa.fios.verizon.net
LOGDROPOUT  all  --  anywhere             188.29.165.91.threembb.co.uk
LOGDROPOUT  all  --  anywhere             188.29.164.127.threembb.co.uk
LOGDROPOUT  all  --  anywhere             188.29.164.202.threembb.co.uk
LOGDROPOUT  all  --  anywhere             188.29.165.62.threembb.co.uk
LOGDROPOUT  all  --  anywhere             host-2-96-208-250.as13285.net
LOGDROPOUT  all  --  anywhere             188.29.164.170.threembb.co.uk
LOGDROPOUT  all  --  anywhere             188.29.165.16.threembb.co.uk
LOGDROPOUT  all  --  anywhere             58.137.224.98
LOGDROPOUT  all  --  anywhere             60-251-70-8.HINET-IP.hinet.net
LOGDROPOUT  all  --  anywhere             41.193.53.71
LOGDROPOUT  all  --  anywhere             59-120-39-44.HINET-IP.hinet.net
LOGDROPOUT  all  --  anywhere             p5099771d.dip0.t-ipconnect.de
LOGDROPOUT  all  --  anywhere             128-67-190-109.dsl.ovh.fr
LOGDROPOUT  all  --  anywhere             188.29.164.216.threembb.co.uk
LOGDROPOUT  all  --  anywhere             41.224.253.236
LOGDROPOUT  all  --  anywhere             LLamentin-656-6-219.w81-248.abo.wanadoo.fr
LOGDROPOUT  all  --  anywhere             188.29.164.110.threembb.co.uk
LOGDROPOUT  all  --  anywhere             188.29.165.232.threembb.co.uk
LOGDROPOUT  all  --  anywhere             host81-134-7-168.in-addr.btopenworld.com
LOGDROPOUT  all  --  anywhere             188.29.164.171.threembb.co.uk
LOGDROPOUT  all  --  anywhere             kr-down.enter-tech.com
LOGDROPOUT  all  --  anywhere             173.208.194.38
LOGDROPOUT  all  --  anywhere             188.29.164.100.threembb.co.uk
LOGDROPOUT  all  --  anywhere             71-94-237-138.dhcp.mdfd.or.charter.com
LOGDROPOUT  all  --  anywhere             188.29.164.64.threembb.co.uk
LOGDROPOUT  all  --  anywhere             hosted-by.seedhost.net
LOGDROPOUT  all  --  anywhere             188.29.164.200.threembb.co.uk
LOGDROPOUT  all  --  anywhere             195.138.249.11
LOGDROPOUT  all  --  anywhere             static-238-180-73-69.nocdirect.com
LOGDROPOUT  all  --  anywhere             s15424873.onlinehome-server.com
LOGDROPOUT  all  --  anywhere             henrymultimedia.com
LOGDROPOUT  all  --  anywhere             na-192-36.static.avantel.net.mx
LOGDROPOUT  all  --  anywhere             177-139-215-107.dsl.telesp.net.br
LOGDROPOUT  all  --  anywhere             1.23.26.27
LOGDROPOUT  all  --  anywhere             207.109.141.56
LOGDROPOUT  all  --  anywhere             37.90.129.177.interhnet.com.br
LOGDROPOUT  all  --  anywhere             190.107.244.151
LOGDROPOUT  all  --  anywhere             home.lppals.com
LOGDROPOUT  all  --  anywhere             213.175.205.68
LOGDROPOUT  all  --  anywhere             77-254-135-91.adsl.inetia.pl
LOGDROPOUT  all  --  anywhere             193.226.245.10.pool.invitel.hu
LOGDROPOUT  all  --  anywhere             p54A96669.dip0.t-ipconnect.de

Chain INVALID (2 references)
target     prot opt source               destination
INVDROP    all  --  anywhere             anywhere             ctstate INVALID
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,RST/FIN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:PSH,ACK/PSH
INVDROP    tcp  --  anywhere             anywhere             tcp flags:ACK,URG/URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW

Chain INVDROP (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain LOCALINPUT (1 references)
target     prot opt source               destination
ALLOWIN    all  --  anywhere             anywhere
DENYIN     all  --  anywhere             anywhere

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
ALLOWOUT   all  --  anywhere             anywhere
DENYOUT    all  --  anywhere             anywhere

Chain LOGDROPIN (1 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootps
DROP       udp  --  anywhere             anywhere             udp dpt:bootps
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootpc
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:sunrpc
DROP       udp  --  anywhere             anywhere             udp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:auth
DROP       udp  --  anywhere             anywhere             udp dpt:auth
DROP       tcp  --  anywhere             anywhere             tcp dpts:epmap:netbios-ssn
DROP       udp  --  anywhere             anywhere             udp dpts:epmap:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere             tcp dpt:isakmp
DROP       udp  --  anywhere             anywhere             udp dpt:isakmp
DROP       tcp  --  anywhere             anywhere             tcp dpt:login
DROP       udp  --  anywhere             anywhere             udp dpt:who
DROP       tcp  --  anywhere             anywhere             tcp dpt:efs
DROP       udp  --  anywhere             anywhere             udp dpt:router
LOG        tcp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP       all  --  anywhere             anywhere

Chain LOGDROPOUT (64 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
DROP       all  --  anywhere             anywhere


Thanks again for your input Richard, you have helped me understand the functionality of iptables even more :eek:
 
Last edited:
but from what you are saying I suppose that it's default with IPTables.
Oh I'm sorry, that's indeed correct if that is what you ment. CSF indeed issues the DROP policy's. I though you ment CSF would issue drop iptables lines but that is not the case.

Normally when CSF is flushed and disabled you should only see 3 policy's, being input, output and forward, all 3 on ACCEPT. So the disabling of CSF did not go completely correct, since a lot of lines CSF put in there are still present.
However, this is your problem:
Code:
ACCEPT     all  --  anywhere             anywhere
Which allows traffic coming from anywhere to anywhere. It seems at this moment this has priority above the CSF lines.
That's why iptables normally should be disabled when installing CSF.

This is the explenation of the difference you are looking for:
CSF -L -->> displays only the iptables lines CSF provides for iptables.
iptables -L -->> displays all lines which are working for iptables. In a normal situation, these should -not- be different from CSF-L.

I don't know where it is in Centos 7, but in Centos 6 you can have a look here:
/etc/sysconfig/
Check and see if there are iptables things with things enabled which should not be enabled.

A better and easier way is to prevent iptables messing things up is to disable iptables:
Code:
chkconfig --list
Check if iptables and ip6tables is running in there (something is set to "on").
CSF and lfd should be to "on" ofcourse.
I hope this still works the same in Centos 7 as in Centos 6.

If yes, issue this command:
Code:
chkconfig iptables off

After that issue a iptables stop (in centos 6 this is like):
Code:
service iptables stop
Or reboot your server, iptables should be stopped then automatically.

If you do it without rebooting the server, then remind to do a csf -r as the last thing.

Then you shoud be fine.
 
Oh I'm sorry, that's indeed correct if that is what you ment. CSF indeed issues the DROP policy's. I though you ment CSF would issue drop iptables lines but that is not the case.

Normally when CSF is flushed and disabled you should only see 3 policy's, being input, output and forward, all 3 on ACCEPT. So the disabling of CSF did not go completely correct, since a lot of lines CSF put in there are still present.
However, this is your problem:
Code:
ACCEPT     all  --  anywhere             anywhere
Which allows traffic coming from anywhere to anywhere. It seems at this moment this has priority above the CSF lines.
That's why iptables normally should be disabled when installing CSF.
Are you sure? because like I said before when doing a iptables -vL I see the only thing the ACCEPT ALL is applied to is the lo interface, I don't see it on any other interface.

This is the explenation of the difference you are looking for:
CSF -L -->> displays only the iptables lines CSF provides for iptables.
iptables -L -->> displays all lines which are working for iptables. In a normal situation, these should -not- be different from CSF-L.

I don't know where it is in Centos 7, but in Centos 6 you can have a look here:
/etc/sysconfig/
Check and see if there are iptables things with things enabled which should not be enabled.

A better and easier way is to prevent iptables messing things up is to disable iptables:
Code:
chkconfig --list
Check if iptables and ip6tables is running in there (something is set to "on").
CSF and lfd should be to "on" ofcourse.
I hope this still works the same in Centos 7 as in Centos 6.

If yes, issue this command:
Code:
chkconfig iptables off

After that issue a iptables stop (in centos 6 this is like):
Code:
service iptables stop
Or reboot your server, iptables should be stopped then automatically.

If you do it without rebooting the server, then remind to do a csf -r as the last thing.

Then you shoud be fine.

There is no service or chkconfig in CentOS 7 - they have replaced it with SystemD but I think if I disable IPTables then I wont be able to connect to the server anymore. I just tested it and doing a "systemctl stop iptables" prevents me from connecting with the server.

Is there something that I am missing here?

The result I want is this:

Currently I have vncserver listening on port 5901 and I _DO NOT_ have port 5901 added in the CSF config file as an allowed port. However, when doing an nmap on myserver for port 5901 it shows open. I want to know why it's not getting closed by CSF. IPTables IS disabled when doing a

"systemctl status iptables" I get:
Code:
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
   Active: inactive (dead)

The IPtables -L command still works, but I think that's because it's the version of IPTables that CSF uses.

I don't understand why port 5901 is showing as open, and I can connect with a vnc client to my vncserver listening on port 5901.

As stated before, when issuing the command:
Code:
iptables -A INPUT -p tcp --dport 5901 -j DROP
systemctl restart iptables

It shows that port as closed - WHY isn't CSF doing this automatically!?! GRR!

It's my understanding that when you start CSF it wipes all current rules and ignores your standard iptable rules. This is why I am so confused.

Thanks again for your help :)
 
Last edited:
Are you sure? because like I said before when doing a iptables -vL I see the only thing the ACCEPT ALL is applied to is the lo interface, I don't see it on any other interface.
I'm sorry, I've seen too many lines. :) It was indeed in the localinput chain, so no problem there. You're right.

I just tested it and doing a "systemctl stop iptables" prevents me from connecting with the server. Is there something that I am missing here?
Not really. As I explained before, normally if CSF was not running and no iptables lines were made but iptables was running (default installation), there would only be 3 chains (input, forward and output) which would all be on ACCEPT.
At this moment, CSF is running, so if you only stop the iptables service, it stops all at that point, but does not flush anything or reset to default, so all chains stay at DROP and that's the reason you were prevented from connecting to the server. So this is normal behaviour. At least if I'm not mistaken.

There is no service or chkconfig in CentOS 7 - they have replaced it with SystemD
I just checked, they use systemctl for it indeed. So for disabling iptables on startup the command would be:
Code:
systemctl disable iptables

And to check what's on and off you can do:
Code:
systemctl list-unit-files --type=service

The IPtables -L command still works, but I think that's because it's the version of IPTables that CSF uses.
No, iptables itself is just a binary which is not depending on the fact if the iptables service is running or not. You can always do iptables -L if you want to look if there are any iptables lines active.

It looks indeed as if the iptables service is disabled.
But if you issue this command (after your DROP line):
Code:
systemctl restart iptables
the service is started.

It's my understanding that when you start CSF it wipes all current rules and ignores your standard iptable rules. This is why I am so confused.
Yes it normally should, unless some iptables command is issued after CSF is started some way.
However, I'm confused now too. Because if the iptables service is not running before, as was cleared by your investigation, the port should indeed be blocked.

There are 2 things I'm thinking about right now.
1.) Is the VNC server making a connection itself to something outside the server?
If yes, that could be the reason of the open port, because of the related-established situation.

2.) Is there anything running after CSF, which could influence iptables lines, like a script or maybe something like Webmin?

Just to be sure, if you have it running while nmap gives you the "open" situation, I would like to test from my server if it has the same result.
However I do need the server ip or domain name for it, if you want you can give me the ip in a personal message.
 
I'm sorry, I've seen too many lines. :) It was indeed in the localinput chain, so no problem there. You're right.


Not really. As I explained before, normally if CSF was not running and no iptables lines were made but iptables was running (default installation), there would only be 3 chains (input, forward and output) which would all be on ACCEPT.
At this moment, CSF is running, so if you only stop the iptables service, it stops all at that point, but does not flush anything or reset to default, so all chains stay at DROP and that's the reason you were prevented from connecting to the server. So this is normal behaviour. At least if I'm not mistaken.

That makes sense - thanks for clarifying!

I just checked, they use systemctl for it indeed. So for disabling iptables on startup the command would be:
Code:
systemctl disable iptables

And to check what's on and off you can do:
Code:
systemctl list-unit-files --type=service


No, iptables itself is just a binary which is not depending on the fact if the iptables service is running or not. You can always do iptables -L if you want to look if there are any iptables lines active.

It looks indeed as if the iptables service is disabled.
But if you issue this command (after your DROP line):
Code:
systemctl restart iptables
the service is started.


Yes it normally should, unless some iptables command is issued after CSF is started some way.
However, I'm confused now too. Because if the iptables service is not running before, as was cleared by your investigation, the port should indeed be blocked.

There are 2 things I'm thinking about right now.
1.) Is the VNC server making a connection itself to something outside the server?
If yes, that could be the reason of the open port, because of the related-established situation.

2.) Is there anything running after CSF, which could influence iptables lines, like a script or maybe something like Webmin?

Just to be sure, if you have it running while nmap gives you the "open" situation, I would like to test from my server if it has the same result.
However I do need the server ip or domain name for it, if you want you can give me the ip in a personal message.

When doing the testing the VNC server was just started and nothing had made a connection to it. There is nothing (to my knowledge) that is running after the CSF installation.

What is really weird is it is not just VNC - I just tested it with SSH. I had the SSH port changed, but just reverted it back to 22 and now it's showing as open. However, port 22 is NOT on the allow list. I too am completely confused now - I will probably have to have someone other than me poke around the server. I don't mind giving you the domain - Just send me a message and I will respond that way I know you are ready. I would like to get this figured out haha - Thanks again Richard!!
 
Looks like Richard and I figured it out.

After further testing today - I have found the root of the problem. Simply doing a "csf -r" or "csf -x and csf -e" does NOT refresh the changes to the csf.conf file. Apparently in CentOS 7 you _MUST_ issue a:

systemctl restart csf

After that I can verify that the ports then close.

Interesting, it would appear this is a bug in CentOS 7

Thanks Richard for all your help!
 
Back
Top