CSF and Country Blocking

SlapHappy

• December 02, 2019 02:01

We have a vps (WHM) running CSF that is currently blocking China via the Country Block option. Unfortunately we have clients that now have regular contact with China based suppliers and it appears the country block is stopping legitimate emails being received. Is there a way to allow specific domains/ip's to bypass the CSF country block?

• 

  keat63

  • December 03, 2019 14:16

  If you know the IP's of the customers, then whitelisting these (adding to the allow list) should work. I've considered having only port 25 pen to china, but not yet figured out how I can do this easily.

  0
• 

  cPanelLauren

  • December 04, 2019 21:06

  Specific IP's in the whitelist should take precedence over the country blocking as far as I am aware. @keat63 have you looked at the following?: # An alternative to CC_ALLOW is to only allow access from the following # countries but still filter based on the port and packets rules. All other # connections are dropped CC_ALLOW_FILTER = "" # This option allows access from the following countries to specific ports # listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP # # Note: The rules for this feature are inserted after the allow and deny # rules to still allow blocking of IP addresses # # Each option is a comma separated list of CC's, e.g. "US,GB,DE" CC_ALLOW_PORTS = ""
  

  0
• 

  SlapHappy

  • December 05, 2019 03:32

  White-listing IP's has worked in the past for some cases, but lately it has been been hit and miss. We white-list every IP we can see related to the incoming message but it still never arrives. My guess is that maybe the IP addresses are obfuscated in some fashion. With clients getting restless we removed CN from the country block list for now

  0
• 

  keat63

  • December 05, 2019 08:24

  This feature I can't get my head around. Rather than blocking a small handful of countries, this feature sounds like you block everything and then allow only the countries you want. Sort of the opposite ?? I'm currently toying with CC_DENY_PORTS I added CN. Then in CC_DENY_PORTS_TCP I added 20,21,53,80,443,2077,2078,2086,2095,2096 Although I'm sure there are many ports I'm missing.

  0
• 

  cPanelLauren

  • December 05, 2019 23:43

  IT is a bit of the opposite but seemed like the only way to do what was requested using CC blocking. CSF may have some more detailed uses for this or a way to implement what is being requested on their forums as well.

  0

Please sign in to leave a comment.