cPHulk and Hardware Firewall Question

bgarrant

Well-Known Member
Jun 27, 2012
78
10
8
cPanel Access Level
Root Administrator
I have a cpanel server with a Juniper SRX 300 firewall. We block all ports other than web and email. FTP and cPanel access is whitelist only for client IPs. Since I have cphulk and a hardware firewall what extra benefit would CSF be if any? I tried CSF and it conflicts with our VPN since the Dynamic VPN feature changes IPs. Is cphulk and the hardware firewall secure? Do I lose or gain anything adding CSF since I have the hardware firewall?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello,

Generally that configuration should be okay without CSF, but note that CSF offers several features beyond just standard port restrictions so it's difficult to say for sure. This question is likely better discussed on the CSF support forums:

General Discussion (csf) - ConfigServer Community Forum

Thank you.
 

24x7server

Well-Known Member
Apr 17, 2013
1,912
99
78
India
cPanel Access Level
Root Administrator
Twitter
I have a cpanel server with a Juniper SRX 300 firewall. We block all ports other than web and email. FTP and cPanel access is whitelist only for client IPs. Since I have cphulk and a hardware firewall what extra benefit would CSF be if any? I tried CSF and it conflicts with our VPN since the Dynamic VPN feature changes IPs. Is cphulk and the hardware firewall secure? Do I lose or gain anything adding CSF since I have the hardware firewall?
By default, when you install CSF, it does cause issues on a VPN server, so it is not advised to have it installed on a VPN server..

However, since you are using a hardware firewall, I feel there is no need to use a software firewall, however, if you still want to give it a try, you can configure the CSF and check if it works. Make sure below ports are added in the csf firewall..
--------------- ---------------
TCP_IN = "22,1194,33434:33523"
TCP_OUT = "22,1194,33434:33523"
UDP_IN = "1194"
UDP_OUT = "1194"
--------------- ---------------

After doing so, also look for the file named csfpre.sh and add the below content to it:
# vi /etc/csf/csfpre.sh
--------------- ---------------
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -j SNAT --to-source xx.xx.xx.xx

replace xx.xx.xx.xx with your actual server IP. Save, exit, and restart csf.
--------------- ---------------
# csf -r