How to Open Ports in CSF Firewall on a Dedicated/VPS Server

CSF (Config Server Firewall) is a widely used firewall on Linux Servers. This firewall is easy to use and it protects your Linux Servers from DDoS attacks, Brute Force Attacks, SYN Flood, Ping of death etc. It is a free software and user-friendly so it is chosen by most of the server administrators to protect the Linux Servers from attacks. CSF provide graphical frontend so it is easy to manage the firewall without learning the firewall commands.

By default all the port will be open on a Linux Server. We can open and close specific ports in CSF firewall either through server backend or through frontend.
 

---

 
Steps to Open Ports in CSF Firewall on a Dedicated/VPS Server

If your website is hosted on a shared server you can’t open ports in CSF firewall because you don’t have access to the server. If your website is hosted on a shared server and if you want to open a specific port you can contact your webhosting company and they will open the port for you.

If your website is hosted on a VPS/Dedicated Server, you will have root access to the server. Do the below steps to open server port via SSH

1. Login to your VPS/dedicated server via SSH using root password.

2. First take a backup of the CSF configuration file before making any changes in it.

Command to take backup of CSF configuration file :
[root@server ~]# cp -a /etc/csf/csf.conf /etc/csf/csf.conf.bakk

3. Open CSF configuration file using a vi editor
[root@server ~]# vi /etc/csf/csf.conf

4. Edit the below line in CSF configuration and add the port you want to allow.
# Allow incoming TCP ports
TCP_IN=10000
I have opened incoming port 10000 on the server.

5. Save the CSF configuration file and exit.

6. Don’t forget to restart csf after making this change.
[root@server /]# csf -r
OR
[root@server /]# service csf restart

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”

# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”

# Allow incoming UDP ports
UDP_IN = “20,21,53”

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123”

TCP_IN – Add the port at the end of this line for allowing incoming TCP ports
TCP_OUT – Add the port at the end of this line for allowing outgoing TCP ports
UDP_IN – Add the port at the end of this line for allowing incoming UDP ports
UDP_OUT – Add the port at the end of this line for allowing outgoing UDP ports

You can also add port range in CSF firewall.
 

 
How to Close/Block a Port in CSF firewall

Removing the port number from the lines TCP_IN, TCP_OUT, UDP_IN, UDP_OUT will block the port. You must restart the firewall after making any changes

Example : Removing 53 from the line “UDP_IN” will close the incoming UDP port 53.

UDP_IN = “20,21,53”