Csf? ufw? firewall thoughts, suggestions, and recommendations

Hello all -

Any thoughts on the future of CSF? i have read a bit, surprisingly it requires a bit of tweaking to get it to stop calling home regulary. I am surprised V-15 was released without fixing that, but i suppose V-15 was merely a quick-n-dirty release just to convert to github.

another option i saw on suggested here is UFW (not the labor union😃).

what is the most popular firewall used with webmin? our needs are extremely basic.

i know there is FirewallD but I wanted something simpler.

the problem is that i have been using webmin/virtualmin for so long now that i am used to doing admin work without even needing to think since webmin make it incredibly easy.

CSF is vastly more complicated than Firewalld. ufw is a similar level of complexity, though a different philosophy.

For EL 10, I’d just choose the standard installation with FirewallD because it’s well-supported in Webmin.

I wasn’t sure how much, if at all, the standalone Webmin module was.
I run ufw on my home Debian box. VERY simple little GUI program but I have no idea if the OP has a desktop on that box.

no desktop, just the interface over port 10k.

I cannot remember how i got started with CSF in the first place since its been so long. maybe at one time it was recommended with virtualmin/webmin?

I think CSF was originally a cPanel thing. Nice and glitzy but overkill in many respects.

perhaps, but i can well remember comparing cPanel with Webmin eons ago, and never looked back.

“nice and glitzy but overkill in many respects” - next time my wife makes me dress up, i will use your line, and give you FULL CREDIT in case she gets mad.

You have heard of ‘kill the messenger’?

i should mention ever since i was hacked () i opened up an acct with TorGuard-VPN, including a static IP ###.

then i made ports 20-22, 3306, 10000(!) restricted to my specific TorGuard IP##.

it may be mildly inconvenient on rare occasions, but i sure do sleep better at night.

i disagree, csf is much more straightforward than firewalld (which seems like a mess to me).
and csf webmin module makes it much more simpler.

ufw is also somewhat simple.

2c.

How is this a mess? compared to csf, that have hundreds of settings.
I have used CSF and I do like it, but it takes time to setup correctly.

image1257×838 62.7 KB

not gonna argue.. this is my personal opinion. use whatever firewall you like.

csf has very few settings to adjust and make it work.

• set ports on ipv4/6 TCP/UDP IN/OUT
• change testing setting to 0 and it starts blocking/working.
  no need to mess with every option for simple stuff like in the screenshot.

Maybe its changed, but I had to adjust alot to get it working correctly.
A search of the forum will show you that.
Maybe they have corrected that with the new version.
I did like it once I got it working correctly, especially the country blocks, main reason I installed it.

Hah, thought I read that wrong like a month ago on some other forum, so CSF is really going away https://configserver.com/announcement/. So now I am up to date Anyway, not using CSF, so maybe you might be interested in the classic nftables service?

I hardly remember saying that I prefer command line instead of a graphical tool. But confs? I love confs! And I edit them with the File Manager in Webmin/Virtualmin.

I find the syntax very sensible, comfortable and meaningful, for example:

            # webmin for ip range
            ip saddr 192.168.1.0/24 tcp dport 10000-10100 accept
            ip saddr 192.168.2.0/24 tcp dport 10000-10100 accept
            tcp dport 10000-10100 drop

I hope this speaks to you by itself, if not, firewalld is shoved on our server for ~ 10 years by most distros, especially the RHEL family tree. Being created by them. So pretty roughly tested and reliable and so on. Not about that: the firewalld syntax for me is horrible, I always forget it.

So I will not be using any other firewall soon, and Crowdesc is doing a mighty job blocking live attacks making use of nftables.

Worth checking out nftables. In Debian you just install it with apt install nftables to run it as a systemd configuration service. Because major distros default to nftables nowadays anyway instead of iptables. And firewalld and ufw are just tools for managing these backend firewalls.

PS full disclosure: I tried to pitch the creation of a nftables interface to the Webmin team a while ago. That will still be nice I would love Webmin even more if they could do something like that.

Hasn’t someone else taken over?

And looks like they done some work on the webmin config

image1178×632 47.4 KB

Well for sure someone forked it. Is this the de facto CSF now? Seems low on contribs.

I guess, I haven’t used in years. The fact I’m seeing updates is a start.

Considering iptables/nftables is so much faster than firewalld I have been surprised that it’s been so overlooked, not just by Webmin, but everywhere.

Webmin supports iptables, but VM is configured with firewalld.