CSF Firewall: *TCP_OUT Blocked


Well-Known Member
Verifed Vendor
Jun 15, 2002
Go on, have a guess
You do need to be sure to enable all the logging features in the csf configuration so that you can check /var/log/messages for block messages for the IP concerned to try and identify which rule in the the INPUT iptables chain is blocking the IP.

One other final thing that I discovered recently, if your server has multiple configured NIC's make sure that both are considerd in the csf configuration. That is, if ones for a LAN then add it to the ETH_DEVICE_SKIP list, or set ETH_DEVICE to eth+ so that the firewall is applied to both NICs, otherwise iptables seems to have problems.


Well-Known Member
Mar 11, 2002
I noticed the same thing. Certain IP's are unreachable unless specifically allowed. The also don't show up in iptables using the list command.
Just a followup - had wrong traceroute info from customer and was pinging out to an IP of some third party traceroute site, and it turns out the person was really blocked for pop3 login failures. The moral of this story is, when asking for a traceroute - make sure its from their computer and not some site they found that does traceroute's. :)