on a directadmin-server with csf i experience that albeit csf.conf states:
TCP_IN = "20,21,25,30,53,80,110,123,143,443,465,587,953,993,995,1935,3000:3039,3478,3479,5001,5060:5099,5222,5269,5275,5349,7443,7070,7777,10000:20000,49160:49300"
same is true for other services like rpcbind (port 111/TCP) - and sieve (port 4190/TCP) - that are not configured to be accessible through the FW according to TCP_IN but are, as soon as the are configured to not exclusivly listen on 127.0.0.1.
that somehow works against my understanding.
my according iptables look like that:
# iptables -L -n |grep -E :'111|3306' ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:3306 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111