Allow IP Range To Port in csf.allow

5 posts Page 1 of 1
bsntech
Junior Member
Posts: 12
Joined: 29 Mar 2014, 13:36


First question:

How are the rules applied? Is the csf.deny applied first and then csf.allow - or is csf.allow applied first?

Here is my issue.

In the csf.allow file, I have IP ranges allowed for port 80 and port 443 - idea is to prevent them from being blocked:

tcp|in|d=80|s=1.1.1.0/24
tcp|in|d=443|s=1.1.1.0/24

However, computers within that range seem to have mis-configured mail clients. After so many failed attempts, they are getting permanently blocked in csf.deny.

Upon that happening, they no longer can get to port 80 or port 443 to access the website - which I always want to have available.

Do I have the configuration wrong?
sawbuck
Junior Member
Posts: 344
Joined: 10 Dec 2006, 16:20


If those ranges are trusted they can be added to csf.ignore.
bsntech
Junior Member
Posts: 12
Joined: 29 Mar 2014, 13:36


Don't exactly want to trust the range as I don't want them to be able to access some ports or brute force things like SSH.

Just want them to always be able to access port 80 and port 443. But if they are brute forcing SMTP or POP, those would be blocked upon trying to do so.
bsntech
Junior Member
Posts: 12
Joined: 29 Mar 2014, 13:36


No other ideas? I would think there has to be a way to ensure the csf.allow is called before the csf.deny, but it doesn't seem to be the case.
salfredogonzalez
Junior Member
Posts: 2
Joined: 09 Jun 2017, 18:05


I would like to know if that rules are useful, i am looking for the same answer and it looks logical the solution but my guessing is if it is working for you.
Thanks,
5 posts Page 1 of 1