csf: how to override TCP_IN?
I'm using csf v14.05
on my Debian-8-based server.
In csf.conf
, I have the following:
TCP_IN = "53,80,110,119,143,443,465,587,953,993,995"
I want to selectively override this in csf.deny
, only for certain specific host/port combinations, as in the following example:
tcp|in|d=143|s=aaa.bbb.ccc.ddd # actual IP address dummied out
However, requests coming from aaa.bbb.ccc.ddd
to port 443
are still being allowed.
I know that csf.allow
rules override all other rules, and therefore, it appears that TCP_IN
within csf.conf
also behaves the same way.
Is there any way in csf
to allow open access to a given port except for certain, selected IP addresses, like I am trying to do here?
Thank you very much.
This is a source of common confusion ...
TCP_IN allows all the ports listed, regardless of csf.allow (except the csf.allow rule is a deny rule)
So, if you really wanted to selectively allow access to a port, you would exclude it from TCP_IN of csf.conf ... and then have it in csf.allow