{"id":20,"date":"2018-09-26T13:43:26","date_gmt":"2018-09-26T13:43:26","guid":{"rendered":"http:\/\/tamer-az.com\/?p=20"},"modified":"2018-09-26T13:46:10","modified_gmt":"2018-09-26T13:46:10","slug":"how-to-block-or-allow-specific-ports-by-country-in-the-csf-firewall","status":"publish","type":"post","link":"https:\/\/tamer-az.com\/?p=20","title":{"rendered":"How to Block or Allow Specific Ports by Country in the CSF Firewall"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\"><br\/><\/h1>\n\n\n\n<ol class=\"wp-block-list\"><li><a href=\"https:\/\/www.liquidweb.com\/kb\/how-to-back-up-and-restore-the-csf-firewall-configuration\/\">How to Back up and Restore the CSF Firewall Configuration<\/a><\/li><li><a href=\"https:\/\/www.liquidweb.com\/kb\/how-to-block-traffic-by-country-in-the-csf-firewall\/\">How to Block Traffic by Country in the CSF Firewall<\/a><\/li><li><a href=\"https:\/\/www.liquidweb.com\/kb\/how-to-allow-traffic-by-country-in-the-csf-firewall\/\">How to Allow Traffic by Country in the CSF Firewall<\/a><\/li><li>How to Block or Allow Specific Ports by Country in the CSF Firewall<\/li><li><a href=\"https:\/\/www.liquidweb.com\/kb\/basic-dosddos-mitigation-with-the-csf-firewall\/\">Basic DoS\/DDoS Mitigation with the CSF Firewall<\/a><\/li><\/ol>\n\n\n\n<p>In\n addition to being able to manage traffic from a specific country or a \nlist of countries, CSF allows you to manage access by country to \nspecific ports. This can be useful if you need to ensure that a \nparticular service is available globally (such as your web server on \nport 80) but want to restrict international access to services such as \nWHM\/cPanel, SSH, or FTP.<\/p>\n\n\n\n<p>You should note that all of the limitations on country-level filtering outlined in <a href=\"https:\/\/www.liquidweb.com\/kb\/how-to-block-traffic-by-country-in-the-csf-firewall\" target=\"_blank\" rel=\"noreferrer noopener\">Part Two: How to Block Traffic by County in the CSF Firewall<\/a>\n apply here as well. Specifically, some ISPs use non-geographic IP \naddresses, some web services and cloud-based tools may use servers \noutside the country the companies are based in, and proxy services and \nvirtual private networks easily can mask a visitor\u2019s actual geographic \nlocation.<\/p>\n\n\n\n<p>Taken together, that means that some unwanted traffic \ncould get through, and some desired traffic could be blocked under \ncertain circumstances.Note: At least one of \nConfigServer\u2019s servers is in Germany; blocking that country could \nprevent CSF from being able to update and display an error on the <strong>ConfigServer Security&amp;Firewall<\/strong> page in WHM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pre-Flight Check<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>This\n series assumes you have the ConfigServer Firewall (CSF) installed on \nyour cPanel server, and you have access to WebHost Manager (WHM).<\/li><li>If your managed cPanel server currently uses APF but you\u2019d prefer CSF, contact <a href=\"https:\/\/www.liquidweb.com\/support\/\" target=\"_blank\" rel=\"noreferrer noopener\">Heroic Support\u00ae<\/a>\n and request a switch. There is no charge, it typically takes only a few\n minutes, and the only service that needs to be restarted as a result is\n the firewall itself. Our support technicians also can port your \nexisting APF rules to CSF. If requesting an upgrade, please be sure to \nindicate whether your server uses the Guardian backup service so that \nits rules also can be configured.<\/li><\/ul>\n\n\n\n<p>If you have not already done so, <a href=\"https:\/\/www.liquidweb.com\/kb\/how-to-back-up-and-restore-the-csf-firewall-configuration\" target=\"_blank\" rel=\"noreferrer noopener\">back up the current firewall configuration<\/a> before making any changes.<\/p>\n\n\n\n<p>In WebHost Manager, locate and select <strong>ConfigServer Security &amp; Firewall<\/strong>\n under the Plugins section in the left menu. You also can begin typing \n\u201cfire\u201d into the search field at the top left to narrow down the options,\n then click on the <strong>Firewall Configuration<\/strong> button to open the configuration file.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Blocking Access to Specific Ports by Country<\/h1>\n\n\n\n<p>Restricting\n access by port to IP addresses originating in a specific country or \ncountries can be an effective way to help minimize the negative \nperformance impact that country-level blocking can bring.<\/p>\n\n\n\n<p>That\u2019s \nbecause the smaller the CIDR (Classless Inter-Domain Routing) range \nagainst which each IP making an incoming request is checked, and the \nfewer requests on that port (SSH on port 22 and FTP on port 21 are \nlikely to see far less traffic than the website itself on port 80), the \nfewer the resources the firewall checks should require.<\/p>\n\n\n\n<p>In this case, <strong>only incoming traffic on the specified port or ports<\/strong> <strong>will checked against the CIDR range(s) for the blocked country code(s)<\/strong>.<\/p>\n\n\n\n<p>If\n you wish to deny access to several countries or wish to allow access to\n a port for only a single country, a better option may be to instead \nallow access only to that country. Feel free to skip ahead to <strong>Allow access to specific ports by country<\/strong> below to learn how to do that.<\/p>\n\n\n\n<p>In this example, we\u2019re blocking access to the standard FTP port, 21, to IP addresses originating in Belgium.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step #1: Specify the Country or Countries to be Denied<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Scroll down to the <strong>Country Code Lists and Settings<\/strong> section and add the country code to <strong>CC_DENY_PORTS<\/strong>. Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at <a href=\"https:\/\/en.wikipedia.org\/wiki\/ISO_3166-1_alpha-2\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/en.wikipedia.org\/wiki\/ISO_3166-1_alpha-2<\/a>.<\/li><li>List the port that will be blocked in the specified country in the <strong>CC_DENY_PORTS_TCP<\/strong> and <strong>CC_DENY_PORTS_UDP<\/strong> fields.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/blockport21.png\"><img decoding=\"async\" src=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/blockport21.png\" alt=\"Blocking port access by country\" class=\"wp-image-11594\"\/><\/a><\/figure>\n\n\n\n<p>Here we\u2019ve specified that traffic originating from Belgium is not allowed to connect on the standard FTP port, 21:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step #2: Save Your Changes and Restart the Firewall<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Scroll to the bottom of the <strong>Firewall Configuration<\/strong> page and click on the <strong>Change<\/strong> button.<\/li><li>On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.<\/li><\/ol>\n\n\n\n<p>By defining a country in <strong>CC_DENY_PORTS <\/strong>and a port in the <strong>CC_DENY_PORTS_TCP<\/strong> and <strong>CC_DENY_PORTS_UDP<\/strong>\n fields, we\u2019ve ensured that the port will remain open to any visitor \nwith valid credentials so long as their IP address does not originate \nfrom the specified country.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Allowing Access to Specific Ports by Country<\/h1>\n\n\n\n<p>Just\n as you can deny incoming traffic by port to a specific country or \ncountries, you also can choose to allowing incoming traffic by port to <em>only<\/em>\n a specific country or countries. Generally, this should be a better \noption than attempting to deny port access to a long list of countries \nbecause the firewall be working with a smaller CIDR range against which \neach incoming request must be checked.<\/p>\n\n\n\n<p>To limit the ability to \nconnect on a specific port or ports to visitors with IP addresses \noriginating in a specific country or countries, you must:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>close the ports in the firewall<\/li><li>define the country code allowed to connect on those blocked ports<\/li><li>specify the blocked ports to be opened for the specified country<\/li><\/ul>\n\n\n\n<p>In this example, we\u2019re restricting access to the standard FTP port, 21, to IP addresses based in Germany.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step #1: Close the Ports in the Firewall<\/h2>\n\n\n\n<p>On the <strong>Firewall Configuration<\/strong> page, scroll down to the <strong>IPv4 Port Settings<\/strong> section, and remove the desired port number from the <strong>TCP_IN <\/strong>and<strong> UDP_IN<\/strong> (if present) fields.<br\/> Here, we\u2019ve removed port 21 from the allowed incoming IPV4 ports, effectively blocking external access to the port:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/removingport.png\"><img decoding=\"async\" src=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/removingport.png\" alt=\"Remove the port from TCP_IN\" class=\"wp-image-11595\"\/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Step #2: Specify the Country or Countries to be Allowed<\/h2>\n\n\n\n<p>Scroll down to the <strong>Country Code Lists and Settings<\/strong> section and add the country code to <strong>CC_ALLOW_PORTS<\/strong>.<\/p>\n\n\n\n<p>Here\n we\u2019ve specified that traffic originating from Germany is allowed to \nconnect on ports which have been otherwise closed in the firewall (we\u2019ll\n define the specific ports for this allow in the next step):<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/ccallowde.png\"><img decoding=\"async\" src=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/ccallowde.png\" alt=\"Allowing a country access to specified ports\" class=\"wp-image-11597\"\/><\/a><\/figure>\n\n\n\n<p><br\/>\n Multiple countries can be comma separated with no spaces in between, \nand you can find a list of ISO 3166-1 alpha-2 codes at \nhttps:\/\/en.wikipedia.org\/wiki\/ISO_3166-1_alpha-2.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step #3: Specify the Closed Ports to be Allowed to the Designated Country<\/h2>\n\n\n\n<p>Just below the <strong>CC_ALLOW_PORTS <\/strong>field, you\u2019ll see <strong>CC_ALLOW_PORTS_TCP<\/strong> and <strong>CC_ALLOW_PORTS_UDP<\/strong>.<\/p>\n\n\n\n<p>We\u2019ll add the port to open to the country (or countries) specified in <strong>CC_ALLOW_PORTS<\/strong> here, in this case, port 21:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/allow21ccallow.png\"><img decoding=\"async\" src=\"https:\/\/lwstatic-a.akamaihd.net\/kb\/wp-content\/uploads\/2015\/12\/allow21ccallow.png\" alt=\"SPecify which ports to open to designated countries\" class=\"wp-image-11598\"\/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Step #4: Save Your Changes and Restart the Firewall<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Scroll to the bottom of the <strong>Firewall Configuration<\/strong> page and click on the <strong>Change<\/strong> button.<\/li><li>On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.<\/li><\/ol>\n\n\n\n<p>Now that we\u2019ve closed the standard FTP port in the firewall\u2019s <strong>IPV4 Port Settings<\/strong>,\n no visitor will be able connect to port 21 unless their IP address \noriginates from Germany. At the same time, the setting applies only to \nport 21 and any visitor, regardless of geographic location, still can \nview the website or connect to any port open in the firewall.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to Back up and Restore the CSF Firewall Configuration How to Block Traffic by Country in the CSF Firewall How to Allow Traffic by Country in the CSF Firewall How to Block or Allow Specific Ports by Country in the CSF Firewall Basic DoS\/DDoS Mitigation with the CSF Firewall In addition to being able to manage traffic from a<\/p>\n<div class=\"clearfix\"><\/div>\n<div class=\"pull-left padding-top-25\"><a href=\"https:\/\/tamer-az.com\/?p=20\" class=\"btn btn-theme\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to Block or Allow Specific Ports by Country in the CSF Firewall&#8221;<\/span> <i class=\"fa fa-fw fa-long-arrow-right\"><\/i> <\/a>  <\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-20","post","type-post","status-publish","format-standard","hentry","category-cpanel"],"_links":{"self":[{"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/posts\/20","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tamer-az.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20"}],"version-history":[{"count":1,"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":21,"href":"https:\/\/tamer-az.com\/index.php?rest_route=\/wp\/v2\/posts\/20\/revisions\/21"}],"wp:attachment":[{"href":"https:\/\/tamer-az.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tamer-az.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tamer-az.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}