SOLVED APF firewall

xml · Feb 8, 2022

I installed APF on Virtuozzo VPS and set the open ports like this

When I test I find there is more open ports:

ViewDNS.info - Your one source for DNS related tools!

viewdns.info

What am I missing?

cPRex · Feb 8, 2022

Hey there! We'd likely need more details before we could get you a good answer. It's important to note that cPanel itself doesn't directly support the server's firewall or any related tools, like APF or CSF.

It might be worth running the following command on the system to see what IPTables is loading:

Code:

iptables -S

this output can be *incredibly long* if you have an active firewall, as that would show all blocks and allow rules, so it might help to filter that with something like this:

Code:

iptables -nL | grep ACCEPT

and then look for the block that shows the common ports. Mine looks like this:

Code:

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:26
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2077
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2078
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2079
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2082
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2083
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2086
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2087
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2095
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2096
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:49152:65534
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:443

That will let you see what the firewall itself is loading.

Personally, I like CSF as that has more tools available and also offers the WHM plugin, but the functionality is the same between the two pieces of software.

xml · Feb 8, 2022

Its very kind from cPanel staff to help us and answer our questions.

Code:

[[email protected] ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGDROPIN
-N LOGDROPOUT
-N DENYIN
-N DENYOUT
-N ALLOWIN
-N ALLOWOUT
-N LOCALINPUT
-N LOCALOUTPUT
-N INVDROP
-N INVALID
-N SMTPOUTPUT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 35000:35999 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 443 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2222 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A LOGDROPIN -p tcp -m tcp --dport 23 -j DROP
-A LOGDROPIN -p udp -m udp --dport 23 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp-port-unreachable
-A DENYIN -s 89.185.85.253/32 ! -i lo -j DROP
-A DENYIN -s 198.102.31.69/32 ! -i lo -j DROP
-A DENYIN -s 164.90.160.69/32 ! -i lo -j DROP
-A DENYIN -s 183.240.209.145/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.47/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.60/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.63/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.81/32 ! -i lo -j DROP
-A DENYIN -s 141.98.10.82/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.16/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.27/32 ! -i lo -j DROP
-A DENYIN -s 179.43.187.146/32 ! -i lo -j DROP
-A DENYIN -s 191.187.134.60/32 ! -i lo -j DROP
-A DENYIN -s 195.133.18.24/32 ! -i lo -j DROP
-A DENYIN -s 212.192.241.124/32 ! -i lo -j DROP
-A DENYIN -s 46.19.139.18/32 ! -i lo -j DROP
-A DENYIN -s 89.185.85.100/32 ! -i lo -j DROP
-A DENYIN -s 120.224.50.233/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.22/32 ! -i lo -j DROP
-A DENYIN -s 91.137.125.250/32 ! -i lo -j DROP
-A DENYIN -s 141.98.11.23/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.76/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.87/32 ! -i lo -j DROP
-A DENYIN -s 122.194.229.65/32 ! -i lo -j DROP
-A DENYIN -s 112.85.42.53/32 ! -i lo -j DROP
-A DENYIN -s 61.177.172.160/32 ! -i lo -j DROP
-A DENYOUT -d 89.185.85.253/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 198.102.31.69/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 164.90.160.69/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 183.240.209.145/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.47/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.60/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.63/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.81/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.10.82/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.16/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.27/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 179.43.187.146/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 191.187.134.60/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 195.133.18.24/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 212.192.241.124/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 46.19.139.18/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 89.185.85.100/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 120.224.50.233/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.22/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 91.137.125.250/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 141.98.11.23/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.76/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.87/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 122.194.229.65/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 112.85.42.53/32 ! -o lo -j LOGDROPOUT
-A DENYOUT -d 61.177.172.160/32 ! -o lo -j LOGDROPOUT
-A ALLOWIN -s 62.215.74.42/32 ! -i lo -j ACCEPT
-A ALLOWOUT ! -o lo -p udp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT ! -o lo -p tcp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT -d 62.215.74.42/32 ! -o lo -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them

Code:

[[email protected] ~]# iptables -nL | grep ACCEPT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  8.8.8.8              0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  8.8.8.8              0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  8.8.8.8              0.0.0.0/0            udp spt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpts:35000:35999
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:80
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            8.8.8.8              tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            8.8.8.8              udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            8.8.8.8              tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            8.8.8.8              udp spt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:20
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:2222
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:20
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:21
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:113
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:123
ACCEPT     all  --  62.215.74.42         0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            owner UID match 0
ACCEPT     all  --  0.0.0.0/0            62.215.74.42
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner GID match 12
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587 owner UID match 0

cPRex · Feb 8, 2022

Thanks for that output - that does show those other ports you're seeing, in addition to the passive FTP port range.

The main configuration file for the service would be located at /etc/apf/conf.apf so you'll want to check the IG_TCP_CPORTS there to see if those additional ports are indeed configured inside the APF software.

xml · Feb 8, 2022

This is my setting for IG_TCP_CPORTS

and for EG_TCP_CPORTS

Does APF really work on Virtuozzo VPS?

xml · Feb 8, 2022

I found out that CSF was installed by default on this new VPS, once I uninstalled it the problem resolved

cPRex · Feb 9, 2022

I'm glad you were able to track that down - competing rules would definitely cause confusion!

Thread starter	Similar threads	Forum	Replies	Date
	APF to CSF Firewall	Security	3	May 3, 2020
N	APF firewall is blocking one user..., although his IP is in allow list	Security	5	Feb 24, 2009
	How to fully uninstall APF firewall?	Security	3	Jun 30, 2008
T	Apf or configserver security and firewall?	Security	2	May 15, 2008
B	How can I block ping with the APF firewall?	Security	6	Dec 13, 2007

Search

Search

SOLVED APF firewall

xml

Well-Known Member

ViewDNS.info - Your one source for DNS related tools!

cPRex

Jurassic Moderator

xml

Well-Known Member

cPRex

Jurassic Moderator

xml

Well-Known Member

xml

Well-Known Member

cPRex

Jurassic Moderator