Firewall / CSF don't be so harsh on a certain port.

janton

Verified User
Joined
Sep 17, 2009
Messages
145
Hello All,

I'll get right to the point:
I'm reselling usenet, but sometimes the users have there server adres wrong in there usenet software. I don't own any usenet farms but just forward the users with a CNAME in my DNS. news.domain.com for example

But if a user has the wrong adres my server automaticly blocks the user because my firewall thinks this user/ip is trying to port scan my server.
I can add port 119 to Allow incoming TCP ports but i don't want to allow this.. but just avoid they get blocked.. because if i open that port that would maybe mean a security issue?

What can i do about this? or more or less how?
i work with ConfigServer Security & Firewall
 
Should i add port 119 to DROP_NOLOG ? will that cause the firewall not to block that ip?
or should i add it to PS_PORTS...

Perhaps it's better if i ask this questions on the configserver.com :)
i will do this now.. sorry i started this thread here!!
 
sorry for my late respons! was really bussy these days, ok below a example:

I replaced some with xx

Nov 12 09:43:37 vps1 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=x0:x6:xe:x7:x0:xe:00:1x:ed:b1:14:00:08:00 SRC=xx.xxx.xx.xx DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=17745 DF PROTO=TCP SPT=3359 DPT=119 WINDOW=65535 RES=0x00 SYN URGP=0


i see DPT=119 and TTL=119 i guess DPT is the port it knock?
 
DROP_NOLOG = Drop the connection and do not log it.
PS_PORTS = Port scanner ports. The ports which are scanned for connections.

You really need to add it as an open port on TCP_IN .

I dont know how you can have connections otherwise.

Your other option would be leave it blocked and then whitelist the ips you want to be able to connect still.

Put the following in /etc/csf/csf.allow

Code:
tcp|in|d=119|s=1.2.3.4

Replace 1.2.3.4 with the actual ip you want to whitelist.
 
No i guess you understand it wrong:
"I dont know how you can have connections otherwise."
In my post above i wrote this only happends when a user has the wrong server adres. Normally when the user access news.domain.com it's re-directed with a cname and the port 119 is no problem (user is not blocked)

but when a user files in the wrong server adres, newss.domain.com it's knocking on my machine (i think)
 
Back
Top