APF firewall

February 08, 2022 18:34

Hey there! We'd likely need more details before we could get you a good answer. It's important to note that cPanel itself doesn't directly support the server's firewall or any related tools, like APF or CSF. It might be worth running the following command on the system to see what IPTables is loading: iptables -S
this output can be *incredibly long* if you have an active firewall, as that would show all blocks and allow rules, so it might help to filter that with something like this: iptables -nL | grep ACCEPT
and then look for the block that shows the common ports. Mine looks like this:

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:26
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2077
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2078
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2079
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2082
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2083
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2086
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2087
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2095
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2096
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:49152:65534
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:443

That will let you see what the firewall itself is loading. Personally, I like CSF as that has more tools available and also offers the WHM plugin, but the functionality is the same between the two pieces of software.

0

xml

February 08, 2022 18:51

Its very kind from cPanel staff to help us and answer our questions.

[root@host ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGDROPIN
-N LOGDROPOUT
-N DENYIN
-N DENYOUT
-N ALLOWIN
-N ALLOWOUT
-N LOCALINPUT
-N LOCALOUTPUT
-N INVDROP
-N INVALID
-N SMTPOUTPUT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 35000:35999 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2222 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A LOGDROPIN -p tcp -m tcp --dport 23 -j DROP
-A LOGDROPIN -p udp -m udp --dport 23 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp-port-unreachable
-A DENYIN -s 89.185.85.253/32 ! -i lo -j DROP
-A DENYIN -s 198.102.31.69/32 ! -i lo -j DROP
-A DENYIN -s 164.90.160.69/32 ! -i lo -j DROP
-A DENYIN -s 183.240.209.145/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.47/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.60/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.63/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.81/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.82/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.16/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.27/32 ! -i lo -j DROP
-A DENYIN -s 179.43.187.146/32 ! -i lo -j DROP
-A DENYIN -s 191.187.134.60/32 ! -i lo -j DROP
-A DENYIN -s 195.133.18.24/32 ! -i lo -j DROP
-A DENYIN -s 212.192.241.124/32 ! -i lo -j DROP
-A DENYIN -s 46.19.139.18/32 ! -i lo -j DROP
-A DENYIN -s 89.185.85.100/32 ! -i lo -j DROP
-A DENYIN -s 120.224.50.233/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.22/32 ! -i lo -j DROP
-A DENYIN -s 91.137.125.250/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.23/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.76/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.87/32 ! -i lo -j DROP
-A DENYIN -s 122.194.229.65/32 ! -i lo -j DROP
-A DENYIN -s 112.85.42.53/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.160/32 ! -i lo -j DROP
-A DENYOUT -d 89.185.85.253/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 198.102.31.69/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 164.90.160.69/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 183.240.209.145/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.47/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.60/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.63/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.81/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.82/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.16/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.27/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 179.43.187.146/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 191.187.134.60/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 195.133.18.24/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 212.192.241.124/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 46.19.139.18/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 89.185.85.100/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 120.224.50.233/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.22/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 91.137.125.250/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.23/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.76/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.87/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 122.194.229.65/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 112.85.42.53/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.160/32 ! -o lo -j LOGDROPOUT
-A ALLOWIN -s 62.215.74.42/32 ! -i lo -j ACCEPT
-A ALLOWOUT ! -o lo -p udp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT ! -o lo -p tcp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT -d 62.215.74.42/32 ! -o lo -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them

[root@host ~]# iptables -nL | grep ACCEPT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  8.8.8.8              0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  8.8.8.8              0.0.0.0/0            udp spt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:35000:35999
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            8.8.8.8              tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            8.8.8.8              udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            8.8.8.8              tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            8.8.8.8              udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:113
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:123
ACCEPT     all  --  62.215.74.42         0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            owner UID match 0
ACCEPT     all  --  0.0.0.0/0            62.215.74.42
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0

0

cPRex Jurassic Moderator

February 08, 2022 19:25

Thanks for that output - that does show those other ports you're seeing, in addition to the passive FTP port range. The main configuration file for the service would be located at /etc/apf/conf.apf so you'll want to check the IG_TCP_CPORTS there to see if those additional ports are indeed configured inside the APF software.

0

xml

February 08, 2022 19:38

This is my setting for IG_TCP_CPORTS and for EG_TCP_CPORTS Does APF really work on Virtuozzo VPS?

0

xml

February 08, 2022 21:21

I found out that CSF was installed by default on this new VPS, once I uninstalled it the problem resolved

0

cPRex Jurassic Moderator

February 09, 2022 18:43

I'm glad you were able to track that down - competing rules would definitely cause confusion!

0

APF firewall

Comments

Didn't find what you were looking for?