I have a cpanel server with a Juniper SRX 300 firewall. We block all ports other than web and email. FTP and cPanel access is whitelist only for client IPs. Since I have cphulk and a hardware firewall what extra benefit would CSF be if any? I tried CSF and it conflicts with our VPN since the Dynamic VPN feature changes IPs. Is cphulk and the hardware firewall secure? Do I lose or gain anything adding CSF since I have the hardware firewall?
By default, when you install CSF, it does cause issues on a VPN server, so it is not advised to have it installed on a VPN server..
However, since you are using a hardware firewall, I feel there is no need to use a software firewall, however, if you still want to give it a try, you can configure the CSF and check if it works. Make sure below ports are added in the csf firewall..
--------------- ---------------
TCP_IN = "22,1194,33434:33523"
TCP_OUT = "22,1194,33434:33523"
UDP_IN = "1194"
UDP_OUT = "1194"
--------------- ---------------
After doing so, also look for the file named csfpre.sh and add the below content to it:
# vi /etc/csf/csfpre.sh
--------------- ---------------
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source xx.xx.xx.xx
replace xx.xx.xx.xx with your actual server IP. Save, exit, and restart csf.
--------------- ---------------
# csf -r