cPanel upgraded from Centos 6.8 to 7.7, what is new default firewall?

rolinger

Active Member
Feb 13, 2017
36
2
8
Tampa
cPanel Access Level
Root Administrator
I am using GoDaddy as my hosting provider. I just upgraded my service from their Gen3 VPS to a Gen4 VPS. The Gen3 VPS came with `ConfigServ Security & Firewall` - that is not available in the new Centos 7.7 Gen4 VPS. In fact, it appears there is no default FW of any sort in my new Gen4 VPS.

Admittedly, I am not very strong on Linux security or built in FWs.

I have been reading that Firewalld has replaced CSF as the new preferred FW, but then plenty of other articles that CSF is still used. And even other that just say to natively use iptables. Are both firewalld and CSF just interfaces to the behind the scenes iptables? Or are they actually their own independent FWs.

What to do? Does anyone know if the GoDaddy Gen VPS already has a default FW...and I am just missing it? Is it...or any of them...and easy add-on package that can be managed from the WHM interface? Please advise.

UPDATE:
=============
So a bit more reading to see whats installed already and this article got me looking at things behind the scenes: How to configure a Firewall for WHM/cPanel | Vander Host

If I am reading this properly, firewalld is installed but disabled? But iptables is running? I don't want to get into a philosophical debate, but I am reading the firewalld is easier to manage. If thats the case, and it appears to be installed, how do I interface with it? Which has a better GUI - I prefer not to work via CLI for managing FW policies and such.

# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
cphulk all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mail
ACCEPT tcp -- anywhere localhost multiport dports smtp,urd,submission owner UID match cpanel
ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner UID match root

Chain cphulk (1 references)
target prot opt source destination
DROP all -- 118.25.226.75 anywhere state NEW TIME until date 2020-04-27 22:59:33 UTC
 
Last edited:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
What we do is uninstall firewalld and disable cphulk and install csf. Disabling cphulk is debatable but don't run firewalld and csf at same time.
 
  • Like
Reactions: IndicHosts.net

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Almost always disable firewalld - utilize iptables on its own or in conjunction with a firewall management software such as CSF

No version of CentOS offers anything beyond IPTables with the exception of 7 with firewalld as far as I know.