firewalld.service = Active: inactive

000

Well-Known Member
Jun 3, 2008
446
20
68
regards,
after of we install cPanel + CSF we run
Code:
systemctl status firewalld
with result]CODE]
[[email protected] ~]# systemctl status firewalld
â firewalld.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
[[email protected] ~]#[/CODE]really my server don't have a firewall running?

if no, this means my server is TOTALLY INSECURE ?
if yes, why CentOs 7 reply inactive (dead) ?

Thanks by your help
 

000

Well-Known Member
Jun 3, 2008
446
20
68
thanks @GOT pleae have patience with me: no't is clear.

I am in panic!

have my server some firewall running ?
just is my server very insecure ? (becouse firewall is OFF!)
 

000

Well-Known Member
Jun 3, 2008
446
20
68
firewalld SHOULD be off. firewalld is NOT csf. firewalld should be removed if it was running it would fight with csf.
Thanks master @GOT then how I open a port in this server CentOs 7 + cPanel

note directlly: from CLI no't using WHM

many thanks again.
 

000

Well-Known Member
Jun 3, 2008
446
20
68
how I open a port in this server CentOs 7 + cPanel
  1. open the file /etc/csf/csf.conf
  2. add the number port to the list TCP_IN:
    Code:
    TCP_IN = "20,21,22,25,53,80, ..., YOU_PORT_NUMBER, 8443"
  3. add the number port to the list TCP_OUT:
    Code:
    TCP_OUT = "20,21,22, ..., YOU_PORT_NUMBER, 5432"
  4. restart CSF:
    Code:
    csf -ra
  5. question in forums cPanel becouse:

port continue CLOSED ....

:-'(
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
What you did should be correct. Its possible that hte port you are opening is not actually listening for anything. What is the output of

netstat -nlp|grep YOU_PORT_NUMBER

Although I would add that there should be no spaces after the commas as you have it in your post.
 

000

Well-Known Member
Jun 3, 2008
446
20
68
thanks @GOT
Its possible that hte port you are opening is not actually listening for anything.
o_O
if I open a port automatically no't "listen" ?
Code:
[[email protected] ~]# netstat -nlp | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      942/postmaster
unix  2      [ ACC ]     STREAM     LISTENING     18494    942/postmaster       /tmp/.s.PGSQL.5432
unix  2      [ ACC ]     STREAM     LISTENING     18481    942/postmaster       /var/run/postgresql/.s.PGSQL.5432
[[email protected] ~]#
but in the end of
Code:
/var/lib/pgsql/13/data/pg_hba.conf
I put
Code:
# remote connections:
host    all             all             *               trust
and after I run
Code:
systemctl restart postgresql-13;
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
5432 tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 942/postmaster

Your service is only listening on 127.0.0.1 so its not set to listen on anything besides localhost so you won't be able to connect to it externally. You would need to reconfigure it to listen on 0.0.0.0 if you wanted to make external connections to it.
 

000

Well-Known Member
Jun 3, 2008
446
20
68
Though I would add that having postgresql wide open to the entire internet is not advisable.


thanks, master when I put
Code:
host    all             all             MY.IP.FROM.ISP              trust
in the moment of restart PgSQL:
Code:
[[email protected] ~]# systemctl restart postgresql-13;
Job for postgresql-13.service failed because the control process exited with error code. See "systemctl status postgresql-13.service" and "journalctl -xe" for details.
[[email protected] ~]#
... how I can config EXTERNAL connection only for MY.IP ?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
You're running down the wrong road here. You've done something to your postgresql config that it does not like and you did not outline what that was so I have no way to know what you did to break it.

This article talks about setting postgres to listen on the public IP:


But take the port out of the tcp_in line and then whitelist your IP with the csf -a you_ip_here command

But you'll need to fix whatever you did to break your postgres config first.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Thanks @GOT

@000 - as mentioned, you can open any port you want, but it won't show as active with a test like "telnet" if there is nothing listening on it. We can telnet to ports 80 and 25 normally because there are services listening on them. One example is the passive FTP port range, which is the range of ports from 49152 to 65534 by default. They are open in the firewall, but they are only used for an active session, so telnet won't show them as active even though they can be used as needed.
 

000

Well-Known Member
Jun 3, 2008
446
20
68
This article talks about setting postgres to listen on the public IP:

Thanks @GOT also in this article recomended:
Code:
listen_addresses = '*'
no't is possible:
Code:
listen_addresses = 'localhost,ONLY.MY.ADDRESS.IP'
??
(I try and only is possible connect using '*')

Really for me no't is necessary open my server PgSQL to ALL Internet, I need only for my address IP and localhost.

regards