Anyone using CSF (Config Server Firewall)????

N

Netizen

Member
Aug 16, 2012
88
0
6
It seems that although I can operate the CSF firewall with VMs running on public IPs, I cannot do the same with VMs running on private IPs!
The firewall logs do NOT show any packets dropped however my private VMs cannot access the internet.
Can someone please help by sharing his knowledge on CSF/Proxmox? :(

Not sure what am I missing however even if I disable the firewall I still have issues.
Putting shorewall works but
a) I am not familiar with configuring it
and
b) It is not as rich as the CSF firewall.
 
i have run CSF on private IP's before - you must disable the Bogon's and private address blocking options in the config - its not a proxmox issue, its a VM/CSF issue
 
anthonysomerset said:
i have run CSF on private IP's before - you must disable the Bogon's and private address blocking options in the config - its not a proxmox issue, its a VM/CSF issue
Click to expand...

Yes that could be the problem but not in this case.
I have NOT installed CSF inside the CTs or VMs yet.... JUST on the hardware node.
I have also put the 192.168.0.0/24 subnet inside the allowed IPs config text (which I think it could be dangerous?)
 
I've never installed it on the hardware node - simply because it mucks around with IP forwarding and bridging in its out of the box config - it would be better to set a simpler iptables set of rules that only deal with the Hardware nodes IP addresses then pass the rest of them to the network bridge/openvz

The setup does entirely depend on your network setup though, it seems weird to me that you have VM's with public IP's and then VM's with private IP's in the same HV? what network topology are you running?

I've always found it better to stick hardware nodes behind a hardware firewall though - it's less messing about with the network stack that can act in undesired ways for the VM's like you are seeing
 
I’m sure you will agree with me that CSF does a hell of a lot more than just block some ports and of course is some cases is a preferred tool.
All it is however at the end of the day is an advanced GUI-based management tool of IPTABLES. So with the appropriate configuration is a better firewall.
I do agree that external HW firewall is the best option however I’m on DC and this would mean much more in terms of budget.

I don’t see a problem with having KVMs with public IPs and KVMs with private IPs. Why not?
Many private KVMs (or CTs) can share a single IP (by using port forward NAT) and hence I don’t have to have a public IP for each KVM.
On the other hand KMVs with public IPs have their own software firewall inside them.

My current problem was solved by added by adding the following line inside the /etc/csf/csfpost.sh


$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
 
Netizen said:
I’m sure you will agree with me that CSF does a hell of a lot more than just block some ports and of course is some cases is a preferred tool.
All it is however at the end of the day is an advanced GUI-based management tool of IPTABLES. So with the appropriate configuration is a better firewall.
I do agree that external HW firewall is the best option however I’m on DC and this would mean much more in terms of budget.

I don’t see a problem with having KVMs with public IPs and KVMs with private IPs. Why not?
Many private KVMs (or CTs) can share a single IP (by using port forward NAT) and hence I don’t have to have a public IP for each KVM.
On the other hand KMVs with public IPs have their own software firewall inside them.

My current problem was solved by added by adding the following line inside the /etc/csf/csfpost.sh


$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
Click to expand...

Ah yes, thats basically resetting the Nat config for proxmox that CSF destroys when you set it up
 
I used it until today. and i want to share my nightmare with CSF & LFD

Yesterday, i could not access to any of my website on my VPS. I could not access to SSH. I could in fact access to nothing. So, i first thought my web server was down but the techs said everything ran fine.

Later on i discovered my websites were remotely accessible but not from my network. So i thought the problem came from my network. I asked someone else to visit one of my website and it worked.

Then, i discovered i received tons of mails from LFD saying "Excessive resource usage" for each of my process (LFD is a process that come along with CSF)

I connected to my server using a VPN and it worked but i was disconnected after 5 minutes.

I stopped CSF firewall module and everything was fine i could have access once again to all ftps, ssh, http...

So, CSF used to kick me out. 24 hours stress & waste of time.

I don't know what i am going to do with it.

By the way, the origin of the issue is related to php.ini and a memory_value that i increased. Everything worked fine and i was below my server ram limit even after increasing this parameter.

For now on, i will not turn on CSF again.
 
josco said:
I used it until today. and i want to share my nightmare with CSF & LFD

Yesterday, i could not access to any of my website on my VPS. I could not access to SSH. I could in fact access to nothing. So, i first thought my web server was down but the techs said everything ran fine.

Later on i discovered my websites were remotely accessible but not from my network. So i thought the problem came from my network. I asked someone else to visit one of my website and it worked.

Then, i discovered i received tons of mails from LFD saying "Excessive resource usage" for each of my process (LFD is a process that come along with CSF)

I connected to my server using a VPN and it worked but i was disconnected after 5 minutes.

I stopped CSF firewall module and everything was fine i could have access once again to all ftps, ssh, http...

So, CSF used to kick me out. 24 hours stress & waste of time.

I don't know what i am going to do with it.

By the way, the origin of the issue is related to php.ini and a memory_value that i increased. Everything worked fine and i was below my server ram limit even after increasing this parameter.

For now on, i will not turn on CSF again.
Click to expand...

half of your errors seem like incorrect config of CSF to me, its a very powerful tool but if not setup right at the beginning it can cause more problems than it fixes
 
anthonysomerset said:
half of your errors seem like incorrect config of CSF to me, its a very powerful tool but if not setup right at the beginning it can cause more problems than it fixes
Click to expand...

That was default config. from web hosting.

fine tuning iptables should be as good as CSF without locking everything up.
 
If you want to use csf and, in the same time you have a cluster, you need to add this ip 239.192.25.2 # Manually allowed: 239.192.25.2 (-) - Mon Sep 24 09:08:21 2018.
for some reason is necesary add, I don;t know how is, if this ip check some services, or something, but after add in my proxmox, the cluster server begin to work again.
 
Any help with this kind of problem?
I cant access my centos VM if i turn csf firewall on.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back