ConfigServer Firewall (CSF) provides a powerful and user-friendly web-based interface for managing firewall settings. We can also manage the CSF settings from the shell too. The default configuration file is located in /etc/csf/csf.conf.
Installation:
To install CSF login to the Webuzo admin panel >> Apps > Install an app > Security > CSF
Configure CSF:
Home > Security > ConfigServer here you can configure csf.
1. For our servers we first disable the testing mode by changing TESTING = “1” to TESTING = “0” in /etc/csf/csf.conf and run csf -r to restart.
2. Make sure the FTP passive port (30000:65000) is added in TCP_IN in csf.conf
3. We also make the below changes in the csf.conf
vi /etc/csf/csf.conf
# Allow incoming UDP ports
UDP_IN = 33434:33523
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = 33434:33523
# Allow incoming PING
ICMP_IN = "1"
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "0"
4. Then restart csf by csf -r
Allow CSF Access To Reseller Accounts
In Webuzo, resellers can access configserver for ALLOW,DENY,UNBLOCK IPs for their customers. By enabling this feature resellers can easily manage IP block issues with their clients. As a sys admin we can manage what are the actions reseller can perform. To enable the feature follow the steps.
1. Open the file /etc/csf/csf.resellers using any text editor.
2. Where you can edit an entry like
reseller_name:0:USE,ALLOW,DENY,UNBLOCK
We can change the permissions according to the need. The permissions are given below:
# USE – The reseller can use this facility through WHM (required)
# UNBLOCK – The reseller can use the Quick Unblock feature
# GREP – The reseller can use the Search IP feature
# ALLOW – The reseller can use the Quick Allow feature
# DENY – The reseller can use the Quick Deny feature
After providing the access resellers can access the configserver as shown below.
Conclusion:
To sum up, we have now learned how to setup CSF in Webuzo and how a reseller can access the configserver utility.