SOLVED CSF country block but allow DNS

[seenBEST]

I've searched everywhere but couldn't find a solution, hopefully someone here knows a way. When using ConfigServer Firewall and configuring via WHM to use CC_DENY to block various countries, is there a way to whitelist a port or service such as DNS or exclude it from the country block? I've tested and it seems that CC_DENY also blocks a DNS lookup to the server, but in some cases Google, etc. has DNS lookups that originate in one particular country to service other, non-related countries. It would be nice to allow all port 53 traffic through all the time regardless if the country is blocked or not.

Any thoughts on how to accomplish this?

 

[cPRex]

Hey there! I've provided a direct link to the second post on this page which explains how you can block certain ports by country. You may just want to block 80 and 443 traffic by country, keeping UDP 53 open for DNS traffic:

CSF - How to block country traffic in CSF Firewall

You can do country blocking at server's CSF Firewall level outlined at...

community.centminmod.com

Let me know if that helps!

 

[seenBEST]

Thank you, it seems from the information provided that I can simply move my existing CC_DENY list down into CC_DENY_PORTS instead, and then specify ports other than 53 and those countries will still be able to hit DNS but not the ports I specify. I'll give that a try and let you know.

 

[cPRex]

That sounds good! It's important to note that we don't make or provide support for CSF, but it's common enough software that we're usually able to point people in the right direction :D

 

[seenBEST]

It works good and was a quick fix, thank you!

 

[cPRex]

Great - I'm glad that got things well for you!