Installing ConfigServer Firewall(csf) ===================================== ## Notes * Commands preceded with "#" imply that you should be working as root. * Commands with more specific command lines (e.g. "rtrX>" or "mysql>") imply that you are executing commands on remote equipment, or within another program. * Any line starting with "-" contain an explanation or directives -Install perl modules(prerequisites for csf) # apt-get install liblist-compare-perl Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-3.19.0-25 linux-headers-3.19.0-25-generic linux-image-3.19.0-25-generic linux-image-extra-3.19.0-25-generic Use 'apt-get autoremove' to remove them. The following NEW packages will be installed: liblist-compare-perl 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 72.1 kB of archives. After this operation, 303 kB of additional disk space will be used. Get:1 http://ke.archive.ubuntu.com/ubuntu/ trusty/universe liblist-compare-perl all 0.37-2 [72.1 kB] Fetched 72.1 kB in 0s (2,402 kB/s) Selecting previously unselected package liblist-compare-perl. (Reading database ... 125116 files and directories currently installed.) Preparing to unpack .../liblist-compare-perl_0.37-2_all.deb ... Unpacking liblist-compare-perl (0.37-2) ... Processing triggers for man-db (2.6.7.1-1ubuntu1) ... Setting up liblist-compare-perl (0.37-2) ... -Downloading: -Config Server Firewall is not currently available in Debian or Ubuntu repositories, and has to be downloaded from the ConfigServer's website: # cd /tmp/ # ls -lah total 16K drwxrwxrwt 4 root root 4.0K Oct 22 16:43 . drwxr-xr-x 22 root root 4.0K Oct 22 11:53 .. drwxrwxrwt 2 root root 4.0K Oct 21 16:07 .ICE-unix drwxrwxrwt 2 root root 4.0K Oct 21 16:07 .X11-unix # # wget http://www.configserver.com/free/csf.tgz --2015-10-22 16:44:58-- http://www.configserver.com/free/csf.tgz Resolving www.configserver.com (www.configserver.com)... 109.70.137.78, 2a01:c0:2:22::3 Connecting to www.configserver.com (www.configserver.com)|109.70.137.78|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://download.configserver.com/csf.tgz [following] --2015-10-22 16:44:58-- http://download.configserver.com/csf.tgz Resolving download.configserver.com (download.configserver.com)... 85.10.199.177 Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 720185 (703K) [application/x-gzip] Saving to: ‘csf.tgz’ 100%[=======================================================================================================================================>] 720,185 626KB/s in 1.1s 2015-10-22 16:45:00 (626 KB/s) - ‘csf.tgz’ saved [720185/720185] # -Uncompress the .tgz bundle # tar -xzf csf.tgz # ls -lah total 724K drwxrwxrwt 5 root root 4.0K Oct 22 16:45 . drwxr-xr-x 22 root root 4.0K Oct 22 11:53 .. drwxr-xr-x 17 root root 4.0K Oct 14 18:20 csf -rw-r--r-- 1 root root 704K Oct 14 18:20 csf.tgz drwxrwxrwt 2 root root 4.0K Oct 21 16:07 .ICE-unix drwxrwxrwt 2 root root 4.0K Oct 21 16:07 .X11-unix # install by invoking the install.sh script inside thecsf directory as below: # cd csf # ls -lah total 1.8M drwxr-xr-x 17 root root 4.0K Oct 14 18:20 . drwxrwxrwt 5 root root 4.0K Oct 22 16:45 .. -rw-r--r-- 1 root root 124 Feb 1 2013 accounttracking.txt -rw-r--r-- 1 root root 181 Feb 1 2013 alert.txt -rwxr-xr-x 1 root root 8.8K Oct 14 18:20 auto.directadmin.pl -rwxr-xr-x 1 root root 9.3K Oct 14 18:20 auto.generic.pl -rwxr-xr-x 1 root root 13K Oct 14 18:20 auto.pl -rw-r--r-- 1 root root 173K Oct 14 18:20 changelog.txt drwxr-xr-x 2 root root 4.0K Oct 14 18:20 ConfigServer -rw-r--r-- 1 root root 192 Feb 1 2013 connectiontracking.txt -rw-r--r-- 1 root root 76 Feb 1 2013 consolealert.txt drwxr-xr-x 3 root root 4.0K Oct 14 18:20 cpanel -rw-r--r-- 1 root root 136 Feb 1 2013 cpanelalert.txt drwxr-xr-x 2 root root 4.0K Oct 14 18:20 Crypt -rwxr-xr-x 1 root root 35K Oct 14 18:20 cseui.pl drwxr-xr-x 2 root root 4.0K Sep 10 00:15 csf -rw-r--r-- 1 root root 5.2K Sep 10 19:20 csf.1.txt -rw-r--r-- 1 root root 4.1K Dec 22 2014 csfajaxtail.js -rw-r--r-- 1 root root 814 Dec 22 2014 csf.allow -rw-r--r-- 1 root root 3.9K Mar 24 2015 csf.blocklists -rw-r--r-- 1 root root 940 Dec 22 2014 csf.c -rw-r--r-- 1 root root 95K Oct 14 18:20 csf.conf -rwxr-xr-x 1 root root 14 Feb 1 2013 csfcron.sh -rw-r--r-- 1 root root 803 Dec 22 2014 csf.deny -rw-r--r-- 1 root root 91K Oct 14 18:20 csf.directadmin.conf -rw-r--r-- 1 root root 2.0K Oct 14 18:20 csf.directadmin.pignore -rw-r--r-- 1 root root 617 Dec 22 2014 csf.dirwatch -rw-r--r-- 1 root root 15K Dec 21 2013 csf.div -rw-r--r-- 1 root root 939 Oct 14 18:20 csf.dyndns -rw-r--r-- 1 root root 936 Oct 14 18:20 csf.fignore -rw-r--r-- 1 root root 89K Oct 14 18:20 csf.generic.conf -rw-r--r-- 1 root root 1.7K Oct 14 18:20 csf.generic.pignore -rw-r--r-- 1 root root 5.5K Sep 10 19:20 csf.help -rw-r--r-- 1 root root 507 Dec 22 2014 csf.ignore -rw-r--r-- 1 root root 657 Dec 22 2014 csf.logfiles -rw-r--r-- 1 root root 2.8K Sep 29 11:13 csf.logignore -rw-r--r-- 1 root root 408 Dec 22 2014 csf.mignore -rw-r--r-- 1 root root 3.5K Oct 14 18:20 csf.pignore -rwxr-xr-x 1 root root 189K Oct 14 18:20 csf.pl -rw-r--r-- 1 root root 747 Sep 10 20:20 csf.rblconf -rw-r--r-- 1 root root 1.9K Sep 11 12:54 csf.rbls -rw-r--r-- 1 root root 1.2K Dec 22 2014 csf.redirect -rw-r--r-- 1 root root 2.1K Dec 22 2014 csf.resellers -rw-r--r-- 1 root root 1.6K Dec 22 2014 csf.rignore -rw-r--r-- 1 root root 270 Jan 25 2015 csf.service -rwxr-xr-x 1 root root 1.9K Dec 22 2014 csf.sh -rw-r--r-- 1 root root 413 Dec 22 2014 csf.signore -rw-r--r-- 1 root root 510 Dec 22 2014 csf.sips -rw-r--r-- 1 root root 11K Feb 1 2013 csf_small.png -rw-r--r-- 1 root root 660 Dec 22 2014 csf.smtpauth -rw-r--r-- 1 root root 368 Dec 22 2014 csf.suignore -rw-r--r-- 1 root root 1.7K Dec 22 2014 csf.syslogs -rw-r--r-- 1 root root 1.2K Dec 22 2014 csf.syslogusers -rwxr-xr-x 1 root root 5.8K Oct 14 18:20 csftest.pl -rw-r--r-- 1 root root 457 Dec 22 2014 csf.uidignore -rwxr-xr-x 1 root root 103K Oct 14 18:20 csfui.pl -rwxr-xr-x 1 root root 13K Oct 14 18:20 csfuir.pl drwxr-xr-x 3 root root 4.0K Oct 14 18:20 cwp drwxr-xr-x 7 root root 4.0K Oct 24 2014 da -rw-r--r-- 1 root root 640 Feb 1 2013 delete.png -rw-r--r-- 1 root root 129 Feb 1 2013 exploitalert.txt -rw-r--r-- 1 root root 151 Feb 1 2013 filealert.txt -rw-r--r-- 1 root root 132 Feb 7 2013 forkbombalert.txt drwxr-xr-x 3 root root 4.0K Oct 14 18:20 Geo drwxr-xr-x 2 root root 4.0K Oct 14 18:20 HTTP -rwxr-xr-x 1 root root 15K Oct 14 18:20 install.cpanel.sh -rwxr-xr-x 1 root root 14K Oct 14 18:20 install.directadmin.sh -rwxr-xr-x 1 root root 13K Oct 14 18:20 install.generic.sh -rwxr-xr-x 1 root root 638 Dec 22 2014 install.sh -rw-r--r-- 1 root root 2.6K Oct 14 18:20 install.txt -rw-r--r-- 1 root root 374 Feb 1 2013 integrityalert.txt -rw-r--r-- 1 root root 1.4K Feb 1 2013 ip.png drwxr-xr-x 7 root root 4.0K Oct 14 18:20 ispconfig -rwxr-xr-x 1 root root 70 Feb 1 2013 lfdcron.directadmin.sh -rwxr-xr-x 1 root root 70 Feb 1 2013 lfdcron.sh -rw-r--r-- 1 root root 70 Feb 1 2013 lfd.logrotate -rwxr-xr-x 1 root root 308K Oct 14 18:20 lfd.pl -rw-r--r-- 1 root root 202 Jan 25 2015 lfd.service -rwxr-xr-x 1 root root 2.2K Jul 6 11:37 lfd.sh -rw-r--r-- 1 root root 10K Oct 14 18:20 license.txt -rw-r--r-- 1 root root 264 Feb 1 2013 LICENSE.txt -rw-r--r-- 1 root root 1.1K Feb 1 2013 loadalert.txt -rw-r--r-- 1 root root 3.9K Feb 1 2013 loader.gif -rw-r--r-- 1 root root 103 Feb 1 2013 logalert.txt -rw-r--r-- 1 root root 101 Feb 1 2013 logfloodalert.txt drwxr-xr-x 2 root root 4.0K Oct 24 2014 messenger -rwxr-xr-x 1 root root 8.4K Oct 14 18:20 migratedata.sh -rw-r--r-- 1 root root 911 Jan 26 2014 minus.png drwxr-xr-x 4 root root 4.0K Oct 14 18:20 Net -rw-r--r-- 1 root root 191 Feb 1 2013 netblock.txt -rwxr-xr-x 1 root root 4.1K Oct 14 18:20 os.pl -rw-r--r-- 1 root root 209 Feb 1 2013 permblock.txt -rw-r--r-- 1 root root 581 Feb 1 2013 perm.png -rw-r--r-- 1 root root 951 Jan 26 2014 plus.png -rw-r--r-- 1 root root 129 Feb 1 2013 portknocking.txt -rw-r--r-- 1 root root 175 Feb 1 2013 portscan.txt -rw-r--r-- 1 root root 391 Feb 1 2013 processtracking.txt drwxr-xr-x 2 root root 4.0K Oct 24 2014 profiles -rwxr-xr-x 1 root root 1.2K Oct 14 18:20 pt_deleted_action.pl -rw-r--r-- 1 root root 97 Feb 1 2013 queuealert.txt -rw-r--r-- 1 root root 56K Oct 14 18:20 readme.txt -rw-r--r-- 1 root root 2.1K Oct 14 18:20 regex.custom.pm -rw-r--r-- 1 root root 32K Oct 14 18:20 regex.pm -rw-r--r-- 1 root root 13K Jul 9 19:58 regex.txt -rw-r--r-- 1 root root 196 Feb 1 2013 relayalert.txt -rwxr-xr-x 1 root root 397 Feb 1 2013 remove_apf_bfd.sh -rw-r--r-- 1 root root 260 Feb 1 2013 resalert.txt -rw-r--r-- 1 root root 181 Feb 1 2013 reselleralert.txt -rw-r--r-- 1 root root 1.1K Sep 30 2014 restricted.txt -rw-r--r-- 1 root root 4.8K Jun 22 17:55 sanitEnable CSF for Productiony.txt -rw-r--r-- 1 root root 200 Feb 1 2013 scriptalert.txt -rw-r--r-- 1 root root 176 Feb 1 2013 sshalert.txt -rw-r--r-- 1 root root 159 Feb 1 2013 sualert.txt -rw-r--r-- 1 root root 194 Feb 1 2013 syslogalert.txt -rw-r--r-- 1 root root 298 Feb 1 2013 tracking.txt drwxr-xr-x 3 root root 4.0K Oct 24 2014 ui -rw-r--r-- 1 root root 129 Feb 1 2013 uialert.txt -rw-r--r-- 1 root root 150 May 31 2013 uidscan.txt -rwxr-xr-x 1 root root 1.7K Feb 25 2015 uninstall.directadmin.sh -rwxr-xr-x 1 root root 1.7K Mar 18 2015 uninstall.generic.sh -rwxr-xr-x 1 root root 2.0K Feb 25 2015 uninstall.sh -rw-r--r-- 1 root root 720 Dec 22 2014 upgrade.txt -rw-r--r-- 1 root root 192 Feb 1 2013 usertracking.txt drwxr-xr-x 3 root root 4.0K Oct 14 18:20 version -rw-r--r-- 1 root root 4 Oct 14 17:44 version.txt -rw-r--r-- 1 root root 129 Feb 1 2013 watchalert.txt drwxr-xr-x 3 root root 4.0K Oct 24 2014 webmin -rw-r--r-- 1 root root 146 May 23 2013 webminalert.txt -rw-r--r-- 1 root root 1.2K Jun 28 23:22 x-arf.txt # # sh install.sh -you should get an installation completed output at the end of the installation: -The firewall is now installed, but you should check if the required iptables modules are available using below command: # perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server # -After installing csf you can remove csf.taz file and csf directory from /tmp directory # rm -rf csf/ csf.tgz -Configuring CSF -After installing CSF you need to configure it properly so that you can access everything or else noting will work on your server -The main configuration is adding PORTS to csf.conf file which is required. either using: TCP_IN, TCP_OUT, UDP_IN and UDP_OUT -Open the config file and navigate down to the ports configuration section: -You will see the default udp/tcp Inbound/Outbound ports which are allowed by default # vi /etc/csf/csf.conf # This option should be set to "1" in all other circumstances LF_SPI = "1" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123" # Allow incoming PING ICMP_IN = "1" -For this lab we will leave the file intact -Enable CSF for Production -By default CSF in Testing=1 Testing mode and you need to enable for production by adding 0 instead of 1 on /etc/csf/csf.conf file. -change: # lfd will not start while this is enabled TESTING = "1" to: # lfd will not start while this is enabled TESTING = "0" -close the file and start csf service: # service csf start Starting csf:*WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT'TESTING = "0" Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' csf: FASTSTART loading DROP no logging (IPv4) csf: FASTSTART loading DROP no logging (IPv6) LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* " DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt in * out * ::/0 -> ::/0 DROP all opt in * out * ::/0 -> ::/0 DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 DENYOUT all opt in * out !lo ::/0 -> ::/0 DENYIN all opt in !lo out * ::/0 -> ::/0 ALLOWOUT all opt in * out !lo ::/0 -> ::/0 ALLOWIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading Packet Filter (IPv4) csf: FASTSTART loading Packet Filter (IPv6) DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt in * out * ::/0 -> ::/0 INVALID tcp opt in !lo out * ::/0 -> ::/0 INVALID tcp opt in * out !lo ::/0 -> ::/0 ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED csf: FASTSTART loading TCP_IN (IPv4) csf: FASTSTART loading TCP6_IN (IPv6) csf: FASTSTART loading TCP_OUT (IPv4) csf: FASTSTART loading TCP6_OUT (IPv6) csf: FASTSTART loading UDP_IN (IPv4) csf: FASTSTART loading UDP6_IN (IPv6) csf: FASTSTART loading UDP_OUT (IPv4) csf: FASTSTART loading UDP6_OUT (IPv6) ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3 ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0 ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0 ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt in lo out * ::/0 -> ::/0 ACCEPT all opt in * out lo ::/0 -> ::/0 LOGDROPOUT all opt in * out !lo ::/0 -> ::/0 LOGDROPIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading DNS (IPv4) csf: FASTSTART loading DNS (IPv6) LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0 Done # -To stop the firewall always use below command: # csf -x *WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny Stopping lfd: Done Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `ALLOWIN' Flushing chain `ALLOWOUT' Flushing chain `DENYIN' Flushing chain `DENYOUT' Flushing chain `INVALID' Flushing chain `INVDROP' Flushing chain `LOCALINPUT' Flushing chain `LOCALOUTPUT' Flushing chain `LOGDROPIN' Flushing chain `LOGDROPOUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Deleting chain `ALLOWIN' Deleting chain `ALLOWOUT' Deleting chain `DENYIN' Deleting chain `DENYOUT' Deleting chain `INVALID' Deleting chain `INVDROP' Deleting chain `LOCALINPUT' Deleting chain `LOCALOUTPUT' Deleting chain `LOGDROPIN' Deleting chain `LOGDROPOUT' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `ALLOWIN' Flushing chain `ALLOWOUT' Flushing chain `DENYIN' Flushing chain `DENYOUT' Flushing chain `INVALID' Flushing chain `INVDROP' Flushing chain `LOCALINPUT' Flushing chain `LOCALOUTPUT' Flushing chain `LOGDROPIN' Flushing chain `LOGDROPOUT' Deleting chain `ALLOWIN' Deleting chain `ALLOWOUT' Deleting chain `DENYIN' Deleting chain `DENYOUT' Deleting chain `INVALID' Deleting chain `INVDROP' Deleting chain `LOCALINPUT' Deleting chain `LOCALOUTPUT' Deleting chain `LOGDROPIN' Deleting chain `LOGDROPOUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' csf and lfd have been disabled *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration # -To enable the firewall always use the below command: # csf -e *WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny csf: FASTSTART loading DROP no logging (IPv4) csf: FASTSTART loading DROP no logging (IPv6) LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* " LOG tcp opt in * out * ::/0 -> ::/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* " LOG udp opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* " LOG icmpv6 opt in * out * ::/0 -> ::/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* " DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt in * out * ::/0 -> ::/0 DROP all opt in * out * ::/0 -> ::/0 DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 DENYOUT all opt in * out !lo ::/0 -> ::/0 DENYIN all opt in !lo out * ::/0 -> ::/0 ALLOWOUT all opt in * out !lo ::/0 -> ::/0 ALLOWIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading Packet Filter (IPv4) csf: FASTSTART loading Packet Filter (IPv6) DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 DROP all opt in * out * ::/0 -> ::/0 INVALID tcp opt in !lo out * ::/0 -> ::/0 INVALID tcp opt in * out !lo ::/0 -> ::/0 ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all opt in !lo out * ::/0 -> ::/0 ctstate RELATED,ESTABLISHED ACCEPT all opt in * out !lo ::/0 -> ::/0 ctstate RELATED,ESTABLISHED csf: FASTSTART loading TCP_IN (IPv4) csf: FASTSTART loading TCP6_IN (IPv6) csf: FASTSTART loading TCP_OUT (IPv4) csf: FASTSTART loading TCP6_OUT (IPv6) csf: FASTSTART loading UDP_IN (IPv4) csf: FASTSTART loading UDP6_IN (IPv6) csf: FASTSTART loading UDP_OUT (IPv4) csf: FASTSTART loading UDP6_OUT (IPv6) ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 11 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmptype 3 ACCEPT icmpv6 opt in !lo out * ::/0 -> ::/0 ACCEPT icmpv6 opt in * out !lo ::/0 -> ::/0 ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT all opt in lo out * ::/0 -> ::/0 ACCEPT all opt in * out lo ::/0 -> ::/0 LOGDROPOUT all opt in * out !lo ::/0 -> ::/0 LOGDROPIN all opt in !lo out * ::/0 -> ::/0 csf: FASTSTART loading DNS (IPv4) csf: FASTSTART loading DNS (IPv6) LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0 Starting lfd: Done csf and lfd have been enabled *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration # TESTING -Now open the csf config file and disable ping then ask your neighbour to ping your PC: -change # Allow incoming PING ICMP_IN = "1" to: # Allow incoming PING ICMP_IN = "1" -close the file and restart csf # csf -x -disable # csf -e -enable #####IS FINISHED!!!!