Not blocking properly what? Besides, why use CSF in the first place, if the default Virtualmin installation with FirewallD and Fail2Ban does everything that needs to be done?
I think CSF is great, but I don’t believe it’s necessary to replace the Virtualmin stock FirewallD + Fail2Ban. Essentially, they are equally effective and perform the same functions.
I tried it once, didn’t like it. So I use firewalld to open and close ports and fail2ban to manage bans via iptables directly, using the iptables_x actions. Maybe csf gives more information back but all I need to know is who is banned for what reason ( fail2ban jail name ) for how long and when the ban expires. Which you can see in the fail2ban module, this also allows you selectively unban ip addresses if you need to. I would guess if the virtualmin devs thought that there are significant gains by using csf they would not default to firewalld/fail2ban and install and configure csf at installation instead
Well it not simple config and need time to config. Where firewalld and fail2ban work. I like you can do country blocking with CSF and add quick blocking of IP’s too.
Ok that may follow and be good but I don’t judge a country on a some of there residents being bad, does csf take into account vpn’s ? I could block say the USA and someone could connect via a vpn in the USA from Germany would csf also block them ?
It may not originate in those countries but the vpn makes it appear as if it has originated from a banned country, this is used a lot by UK nationals that wish to use services in the UK from countries that are blocked. Example someone in the USA is blocked from using a service in the UK so they use a UK based vpn so they appear to be in the UK.
You can do the same with firewalld by setting up your own list using ipset. You can create your own list and copy from server to server with just a couple commands. Just look up ipset…
CSF has the unpleasant side effect of blocking you from the server, not just the service, you triggered. Not pleasant when doing re,mote admin. Happens too much when someone is trying to set up email too.
I’ll give this as a plus but it could be added to the Firewalld interface? Having the ability to whitelist for a given time was nice for customers that were ‘inventive’ in configuring their email clients.
Quick IP manipulation was the only real reason I went into CFS once it was set up.
One thing to remember though is a real firewall is ahead of the server, not on it. Trying to do too much on the server is probably a mistake. If you need a firewall, get a firewall.
I would think most apps that manage the firewall manipulate iptables in a linux environment, so therefore as long as the kernel is setup correctly you will have a firewall, that said not all distro’s, suppliers may not will deploy a kernel without a firewall enabled, from that everyone should have a firewall to start with it’s just how you manipulate it
CSF give a graph of the country its blocking the most, CN leads by a long way, so just blocking china is handy.
No its not going to stop VPN but it stops alot. This from a test server I ran I’ve been running for about 10 hours
I have a VM with more than one domain in CN and the traffic is nearly all CN dealing with the pests seems still better to leave Firewalld handling them. I just do not see any real advantage in CSF (in fact judging on this topic and all the others popping up on here it is more trouble than it it is worth)
It down reduce alot or crap.
