# CSF Install



## kcaj (May 4, 2014)

I've installed CSF on my Debian 7 VPS. Here are a few lines from /etc/csf/csf.conf


###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = "22"

# Allow outgoing TCP ports
TCP_OUT = "22,53,80"

# Allow incoming UDP ports
UDP_IN = "53,161"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "53"

# Allow incoming PING
ICMP_IN = "1"

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "1/s"

# Allow outgoing PING
ICMP_OUT = "1"

# Set the per IP address outgoing ICMP packet rate (hits per second allowed),
# e.g. "1/s"
# To disable rate limiting set to "0"
ICMP_OUT_RATE = "1/s"

My problem is a web panel on port 9091 is still accessible. I have configured the port as open in CSF, so why is it open? CSF does seem to be working to an extent, I initially forgot to open port 161 for SNMP access and the Observium poll server reported the server as being down as it couldn't reach SNMP.

Why is 9091 still open?


----------



## Lee (May 4, 2014)

Are you sure CSF is running?  Did you switch it from the default test mode into production?


----------



## fixidixi (May 4, 2014)

did u hit csf -q after modifying the config?


----------



## TruvisT (May 5, 2014)

CSF will automatically whitelist your IP so it will always be open to you.


----------



## Dylan (May 5, 2014)

TruvisT said:


> CSF will automatically whitelist your IP so it will always be open to you.


Bingo - check /etc/csf/csf.allow. You can just remove the automatically added IP if you want to make sure everything's working properly.


----------



## kcaj (May 5, 2014)

TruvisT said:


> CSF will automatically whitelist your IP so it will always be open to you.


Thank you, discovered this a few minutes after posting.


----------



## fixidixi (May 5, 2014)

you can of course also enable only the port that you need instead of allowing "everything"..

tcp/udp:in/out:s/d=3306:s/d=10.9.1.1


----------



## kcaj (May 8, 2014)

fixidixi said:


> you can of course also enable only the port that you need instead of allowing "everything"..
> 
> tcp/udp:in/out:s/d=3306:s/d=10.9.1.1


Yes, I have been doing this over the past few days.

I've hit another problem though. I run transmission-daemon on one of my boxes and am unable to get it working with a firewall enabled. I've tried opening the the relevant TCP/UDP ports in settings and for the trackers but am unable to get to load. Adding a magnetized transfer won't even load the details.


----------

