What is the best free Firewall for Centos 9

I have used an upgrade from the normal Centos 8 (not stream) to Almalinux 8 which worked.
However, if your provider doesn't support Alma at all, I wouldn't take the risk if you want to stay with your provider.

Because when something goes wrong for whatever reason, you can't install Alma again from the provider.
 
I have upgraded Centos Stream 8 to Almalinu 8.9 successfully using this guide:

adamtheautomator.com

How to Migrate CentOS Stream to AlmaLinux

Learn all of the ins-and-outs of migrating CentOS Stream to AlmaLinux in this in-depth tutorial by ATA Learning!
adamtheautomator.com adamtheautomator.com

and then managed to install CSF firewall successfully using this guide:

www.linuxtuto.com

How to Install and Configure CSF on AlmaLinux 9 - LinuxTuto

ConfigServer Security & Firewall (CSF) is an iptables-based firewall that provides high-level security to the Linux system.
www.linuxtuto.com www.linuxtuto.com

However, allowed IP ranges dont work as when using Centos Stream 9:

/etc/csf/csf.allow

Very strange!

Any advice would be very appreciated.

Thanks
 
Strange indeed.

What if you try a few ip addresses first instead of neblocks.
Start with your own ip address.

Other idea's:
Does your server also has ipv6? If yes, did you limit SSH connections in the sshd_config to ipv4? Shouldn't make any difference but one never knows.

If you want, you can give me an example by pm of the real /24 blocks you put in there and the ip of your server, then I'm prepared to test if I can connect to SSH and I can give you my ip address which I'm trying to connect with, so you can check your logs too.
 
Richard G said:
Strange indeed.

What if you try a few ip addresses first instead of neblocks.
Start with your own ip address.

Other idea's:
Does your server also has ipv6? If yes, did you limit SSH connections in the sshd_config to ipv4? Shouldn't make any difference but one never knows.

If you want, you can give me an example by pm of the real /24 blocks you put in there and the ip of your server, then I'm prepared to test if I can connect to SSH and I can give you my ip address which I'm trying to connect with, so you can check your logs too.
Click to expand...
Very strange because I have installed & configured CSF on Centos 7 for over the last 3 years; and it worked very well. But it does not work on Centos Stream 9 and even Almalinux 8 I did earlier.
 
Yes but I have no clue as to whats going on. Maybe there was slightly a bug or something else in 7.
I used it to block SSH to certain ip's the same way, on Centos 7, Centos 8 (not stream), Almalinux 8 en now also Almalinux 9 even on both Directadmin and cPanel servers.

And it's all working fine. Which is why I offered to pm me so we can do some tests.
 
Richard G said:
Yes but I have no clue as to whats going on. Maybe there was slightly a bug or something else in 7.
I used it to block SSH to certain ip's the same way, on Centos 7, Centos 8 (not stream), Almalinux 8 en now also Almalinux 9 even on both Directadmin and cPanel servers.

And it's all working fine. Which is why I offered to pm me so we can do some tests.
Click to expand...
Thanks. What tests you want me to conduct on my server?

I have posted that issue on https://forum.configserver.com/viewtopic.php?t=13122 without responses. There was no surprise as someone posted similar issue to mine at the beginning of April 2024 without responses too. So I am not alone to have such an issue with CSF.

Cheers
 
Last edited:
trying execute test script to see what's missing in your server.
Code: 
perl /usr/local/csf/bin/csftest.pl
 
jamgames2 said:
trying execute test script to see what's missing in your server.
Code: 
perl /usr/local/csf/bin/csftest.pl
Click to expand...
All is fine.

perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
 
Could you testing a little bit.

telnet from one of allow IP range server to your DA server.
Code: 
telnet da.ip.server 8080
Result should able to connect.

And use other IP that's not in allow range.
Code: 
telnet da.ip.server 8080
Result shouldn't.

if you not using nginx_apache, then use other that's useually not allowed connect from outside.
 
I have used this 11 years old guide; and it works well. For Centos 7, I just input IP ranges in this file /etc/csf/csf.allow, and the rest of IPs cannot access SSH.

For Centos Stream 9, the above wont work. There is need for inputting all denied IPs in /etc/csf/csf.deny

Here is the guide:

Cant get the CSF allow list to work | Web Hosting Talk

Cant get the CSF allow list to work - Hi, I was wondering if someone could help with a problem im having with the CSF firewall on centos, Im trying to block some ports but allow only speci
www.webhostingtalk.com



Many thanks for this great community
 
Here is what I did:

a)
$ vi /etc/csf/csf.allow

tcp|in|d=1154|s=x.x.220.0/24
tcp|in|d=1154|s=x.x.222.0/24
tcp|in|d=1154|s=x.x.225.0/24

The above will allow the 3 IP ranges to access SSH on port 1154

b)
$ vi /etc/csf/csf.deny

tcp|in|d=1154|s=0.0.0.0/0


The above will deny all IPs except those IPs in allow list to access SSH on port 1154

c)

$ csf -r
$ systemctl start csf && systemctl start lfd
$ systemctl enable csf && systemctl enable lfd
$ reboot

Hoping this will be helpful to anyone who has similar issue.

Thanks
 
Johnws2022 said:
Thanks. What tests you want me to conduct on my server?
Click to expand...
I just wanted to try to login to your SSH and see what I get.

Johnws2022 said:
$ vi /etc/csf/csf.deny

tcp|in|d=1154|s=0.0.0.0/0
Click to expand...
This is not required. If you have the /24 ip's in the csf.allow then don't put this in the csf.deny. Just do not open port 1154 in your firewall as I stated earlier and then you should be fine.

So I would suggest to remove this line from here. Then in csf.conf do -not- open 1154 and only have the allow lines in csf.allow.
Restart csf and lfd.

Then test to login from an ip which is without these 3 ranges and it should in fact work.
 
Richard G said:
I just wanted to try to login to your SSH and see what I get.


This is not required. If you have the /24 ip's in the csf.allow then don't put this in the csf.deny. Just do not open port 1154 in your firewall as I stated earlier and then you should be fine.

So I would suggest to remove this line from here. Then in csf.conf do -not- open 1154 and only have the allow lines in csf.allow.
Restart csf and lfd.

Then test to login from an ip which is without these 3 ranges and it should in fact work.
Click to expand...
"This is not required. If you have the /24 ip's in the csf.allow then don't put this in the csf.deny. Just do not open port 1154 in your firewall as I stated earlier and then you should be fine." - That is an alternative way!
 
Johnws2022 said:
That is an alternative way!
Click to expand...
No that is the default way.
If you don't want anybody accessing a port, then do not open it in the firewall. That is just plain default firewall usage.

With the csf.allow you would allow the allowed ip's anyway so you don't need the port to be opened.

I do agree that it should also work the way you have it. But then my question to you is, do we want to have a discussion about what is default or alternative in ones view? Or do we want to investigate as to what works and what not, to be able to get to the root cause of things not working for you at the moment, by trying other things?
 
Richard G said:
No that is the default way.
If you don't want anybody accessing a port, then do not open it in the firewall. That is just plain default firewall usage.

With the csf.allow you would allow the allowed ip's anyway so you don't need the port to be opened.

I do agree that it should also work the way you have it. But then my question to you is, do we want to have a discussion about what is default or alternative in ones view? Or do we want to investigate as to what works and what not, to be able to get to the root cause of things not working for you at the moment, by trying other things?
Click to expand...
thanks.

What if I dont need to set some IPs to access SSH on that port, and just want all IPs to access it on that port; it is inevitable to open that port in CSF config file?
 
Johnws2022 said:
and just want all IPs to access it on that port;
Click to expand...
Then opening the port in the CSF config would be the easiest and most logic option yes. Just like with the mail, web and ftp ports.
But you wanted to open only for certain ip's. I was trying to help you find the cause why it's not working in your Almalinux and Centos 9.

But if you rather like to keep discussing, instead of testing things and looking what happens, then it ends here for me as I don't feel like discussing this nore do I have time for it.
 
Richard G said:
Then opening the port in the CSF config would be the easiest and most logic option yes. Just like with the mail, web and ftp ports.
But you wanted to open only for certain ip's. I was trying to help you find the cause why it's not working in your Almalinux and Centos 9.

But if you rather like to keep discussing, instead of testing things and looking what happens, then it ends here for me as I don't feel like discussing this nore do I have time for it.
Click to expand...
Your solution may be the best. I have had troubles with my Internet network; my server is in Europe, and I am based in Asia. There are well known broken Submerine cables in Asia and Africa; that was what my server provider told me; my download and upload speed from/to my server like 20k to 80k; could not do anywork since I last chatted here. I decided to change to a new ISP provider today; it is OK. Now I have troubles with new installation which I posted in another thread. Many thanks for your help.
 
You must log in or register to reply here.
Back
Top