What is the best free Firewall for Centos 9

[Johnws2022]

Dear Sir,

For Centos 7, I use CSF Firewall; it works very well as I can restrict access to certain IP ranges to prevent hackings.

However, for Centos 9, that restriction does not work at all.

What is the best FREE Firewall used for Centos 9 that can restrict IP ranges to access server via SSH?

Very appreciate any help.

Regards

 

[Richard G]

However, for Centos 9, that restriction does not work at all.

Why not? There is no different, same firewall. Centos 9 doesn't do anything different.
CSF is working seperately from the OS because it's a standalone application.

CSF/LFD is still the best free firewall used that can restrict IP ranges to access the server via SSH.
Maybe you have some difference in config between your Centos 7 and Centos 9? Are you using Centos 9 stream then? Not Almalinux 9?

 

[Johnws2022]

thank you for your quick help. CSF does not work on Centos Stream 9 for some reasons when setting some IP ranges to be allowed. I think I ll try default FirewallD, and would post the updates shortly.

 

[ericosman]

Is CSF fully running and setup correctly?

 

[Johnws2022]

Yes. I did that many times on Centos 7. But they dont work on Centos Stream 9 for some reasons on my VPS server. I am still trying FirewallD, but my server has been down now, hm!

I have to wait when it is up.

 

[Richard G]

Hmmz... It might be caused if there is some firewall already present and working in Centos 9. Because there is no difference.
You have to fully disable firewalld first. Then check with iptables -L if all 3 groups are set to allowed.
Only then start CSF.

Also check if iptables is really installed as it maybe only nftables is installed.

If it does not work, you could try apf/bfd firewall. Not sure if that can limit ip's to SSH but I thought it could.

 

[Johnws2022]

Lot of changes awful for DA. With latest version of DA I installed today, I cannot get access to phpMyAdmin with DA's credentials even I following this guide:

Failed to login to phpMyAdmin

Hello, I just installed DA for the first time in my life and created a DB which automatically creates username. But when I click on phpMyAdmin it says : Database Management Failed to login to phpMyAdmin

forum.directadmin.com

Can you please advise how to fix that.

Many thanks in advance.

 

[Johnws2022]

Update: I can get access after rebooting.

 

[johannes]

According to this site https://configserver.com/configserver-security-and-firewall/ CSF should work on CentOS v7 to v9. Maybe you want to ask there in the boards.

 

[Johnws2022]

According to this site https://configserver.com/configserver-security-and-firewall/ CSF should work on CentOS v7 to v9. Maybe you want to ask there in the boards.

Thanks. I have tried CSF again on Centos 9; the allow config does not work at all; I did this many time on Centos 7 and it worked find.

 

[Richard G]

That is very odd. In Almalinux 9 it's just working fine.
If you put a ip in the csf.allow file and restart csf and lfd, and it does not work or you can't reach SSH for example, then there should be something to be found in the logs about the connections being made.

As said you can also use APF/BFD but I doubt that this will work if CSF does not as it's all only a kind of shell for configurating iptables. Only difference is that the RHEL9 versions are using nftables. But that is all working together, whe I check with locate:
/etc/alternatives/iptables
/etc/alternatives/iptables-restore
/etc/alternatives/iptables-save
/usr/sbin/iptables
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-save
/usr/sbin/iptables-translate

Maybe you can check if those are present in your case too.

 

[Johnws2022]

That is very odd. In Almalinux 9 it's just working fine.
If you put a ip in the csf.allow file and restart csf and lfd, and it does not work or you can't reach SSH for example, then there should be something to be found in the logs about the connections being made.

As said you can also use APF/BFD but I doubt that this will work if CSF does not as it's all only a kind of shell for configurating iptables. Only difference is that the RHEL9 versions are using nftables. But that is all working together, whe I check with locate:
/etc/alternatives/iptables
/etc/alternatives/iptables-restore
/etc/alternatives/iptables-save
/usr/sbin/iptables
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-save
/usr/sbin/iptables-translate

Maybe you can check if those are present in your case too.

Thanks.

Here is the content of /etc/csf/csf.allow:

###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
tcp|out|u=0 # Added by DirectAdmin - Thu Apr 18 19:42:01 2024
udp|out|u=0 # Added by DirectAdmin - Thu Apr 18 19:42:01 2024
x.x.x.x # csf SSH installation/upgrade IP address - Fri Apr 19 05:55:07 20

x.x.x.0/24
x.x.x.0/24
x.x.x.0/24


Normally only the above IP ranges are allowed to access SSH, and the rest cannot. However, any IP can access SSH at present.

Any troubleshooting is very appreciated.

Thanks

 

[Ohm J]

If there have other firewall running on same server, csf firewall will not work.

 

[Johnws2022]

If there have other firewall running on same server, csf firewall will not work.

No there are not.

# sudo systemctl status firewalld
○ firewalld.service
Loaded: masked (Reason: Unit firewalld.service is masked.)
Active: inactive (dead)

 

[Richard G]

Any troubleshooting is very appreciated.

/24 subnets are a lot of ip addresses.

And you removed port 22 from all the csf.conf lines? So ipv4 tcp in and ipv6 tcp in too?

Did you check with iptables -L if it's running correctly?

 

[Johnws2022]

/24 subnets are a lot of ip addresses.

And you removed port 22 from all the csf.conf lines? So ipv4 tcp in and ipv6 tcp in too?

Did you check with iptables -L if it's running correctly?

All is OK, but CSF seems not working on Centos Stream 9 on my machine.

I have tried FirewallD:

block all but a few ips with firewalld

On a linux networked machine, i would like to restrict the set of addresses on the "public" zone (firewalld concept), that are allowed to reach it. So the end result would be no other machine can

serverfault.com

It has logged me out of SSH - and cannot fix it. So I need to reinstall my vps server a couple of time.

Anyone know how to set some ranges of IPs using FirewallD to be allowed to access SSH and filter out the rest like CSF does?

Thnaks

 

[Richard G]

but CSF seems not working on Centos Stream 9 on my machine.

CSF is merely a system which configures iptables for you. So if it doesn't work, then iptables must be having an issue for some reason.
With the link from firewalld it should work too, so very odd that it blocked you out.

So I need to reinstall my vps server a couple of time.

Doesn't your VPS provider have a KVM or other way to set your VPS in safe mode if you loose the root pass?

If you want things to work correctly, why still using Centos 9 stream, why not go stable with Almalinux 9 if you need to reinstall anyway?
Almalinux 9 is RHEL9 1:1 compatible too even better than Centos 9 Stream. Ans with Almalinux 9 I'm sure that CSF/LFD works because I'm running Alma 9 too.

 

[Johnws2022]

CSF is merely a system which configures iptables for you. So if it doesn't work, then iptables must be having an issue for some reason.
With the link from firewalld it should work too, so very odd that it blocked you out.


Doesn't your VPS provider have a KVM or other way to set your VPS in safe mode if you loose the root pass?

If you want things to work correctly, why still using Centos 9 stream, why not go stable with Almalinux 9 if you need to reinstall anyway?
Almalinux 9 is RHEL9 1:1 compatible too even better than Centos 9 Stream. Ans with Almalinux 9 I'm sure that CSF/LFD works because I'm running Alma 9 too.

Almalinux 9 is not available on my server provider.

 

[Richard G]

Almalinux 9 is not available on my server provider.

Very odd as this is very popular and even supported by Cloudlinux which is used amongst many hosters.
I presume they don't provide Rocky Linux 9 either than. Maybe it's an idea to consider changing provider.

Or try to use APF/BFD firewall which is also free and often used instead of CSF/LFD.

 

[Johnws2022]

Very odd as this is very popular and even supported by Cloudlinux which is used amongst many hosters.
I presume they don't provide Rocky Linux 9 either than. Maybe it's an idea to consider changing provider.

Or try to use APF/BFD firewall which is also free and often used instead of CSF/LFD.

I have tried to find how to upgrade from Centos Streem 9 to Almalinux 9, but could not find one.

There is a guide of upgrading stream 8 to Almalinux 8, but stream 8 is end of life soon.



Thanks