For those that are having trouble with KissMyFirewall...

Networkologist

Well-Known Member
Feb 5, 2003
215
2
168
Hi HollyRidge.

Just used your script to replace my install of KISS and unless I add:

465 993 995 2080:2099

to the additional ports, I'm unable to access WHM or Cpanel
 

Networkologist

Well-Known Member
Feb 5, 2003
215
2
168
Thanks HollyRidge. //edit - where'd her post go ?????

//endedit

I just double checked in case I didn't copy the output of your config file properly, but it looks exactly fine. Except I can't login without adding those ports :confused:

################################################################################
# INPUT - PORT Special Cpanel Ports 2080-2099
################################################################################
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i eth0 -p tcp -s $server_ips --sport $UNPRIVPORTS --dport 2080:2099 -m state --state NEW -j ACCEPT
done

################################################################################
# INPUT - PORT 873 - Rsync
################################################################################
$IPTABLES -A INPUT -i eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT

################################################################################
# OUTPUT - PORT 873 - Rsync
################################################################################
$IPTABLES -A OUTPUT -o eth0 -p udp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS --dport 873 -m state --state NEW -j ACCEPT

################################################################################
# INPUT - PORT Allow Rdate Port 37
################################################################################
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i eth0 -p tcp -s $server_ips --sport $UNPRIVPORTS --dport 37 -m state --state NEW -j ACCEPT
done

################################################################################
# INPUT - PORT Allow Secure SMTP Port 465
################################################################################
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i eth0 -p tcp -s $server_ips --sport $UNPRIVPORTS --dport 465 -m state --state NEW -j ACCEPT
done

################################################################################
# INPUT - PORT Allow Secure IMAP Port 993
################################################################################
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i eth0 -p tcp -s $server_ips --sport $UNPRIVPORTS --dport 993 -m state --state NEW -j ACCEPT
done

################################################################################
# INPUT - PORT Allow Secure POP3 Port 995
################################################################################
for server_ips in $SERVER_IPS; do
$IPTABLES -A INPUT -i eth0 -p tcp -s $server_ips --sport $UNPRIVPORTS --dport 995 -m state --state NEW -j ACCEPT
done
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
I'm running KISS with the ports specified in this thread.

Today I had a license file expired problem for the 2nd time in 2 weeks.

I'm quite sure it has to do with the KISS firewall.

/usr/local/cpanel/cpkeyclt doesn't work with KISS firewall on.

When I flushed the firewall rules /usr/local/cpanel/cpkeyclt worked fine and my license expired problem was solved.

cPanel.net Support Ticket Number:
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
Today I had the license expired problem again :(

Disabling KISS and then running /usr/local/cpanel/cpkeyclt fixes it.

/usr/local/cpanel/cpkeyclt doesn't run with KISS enabled.

How can I configure KISS so that /usr/local/cpanel/cpkeyclt will execute?
I'm quite sure the license expired issue is caused by the firewall.

cPanel.net Support Ticket Number:
 

HollyRidge

Well-Known Member
Feb 25, 2003
139
2
168
Clayton NC USA
cPanel Access Level
Root Administrator
Ok finally figured this out on why and what is going on. When adding 2080-2099 to the ports list you are only opening tcp incoming ports not outgoing. To resolve this issue add this to the bottom, restart your firewall, and execute /usr/local/cpanel/cpkeyclt
Code:
################################################################################
# INPUT & OUTPUT CPanel License Sync TCP port 2089
################################################################################
$IPTABLES -A OUTPUT -o eth0 -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport 2089 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport 2089 -j ACCEPT
Hope this helps. :)

cPanel.net Support Ticket Number:
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
Thanks HollyRidge,

I hope I won't see this license expired stuff from now on :)

cPanel.net Support Ticket Number:
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
It seems KISS firewall still blocks a needed port during upgrading apache.

When I have KISS firewall enabled, the apache upgrade process gets stuck when retrieving fpextensions from the cpanel server.

Does anyone know through which others ports the buildapache script is trying to connect during besides 37 and 873 ?

I have added all the extra ports mentioned in this thread.

cPanel.net Support Ticket Number: