csf firewall seems to allow ports not open

hello -

i was trying to temporarily remove port 3306 from TCP_IN in the csf.conf file, but this seems to have no effect:

vi /etc/csf/csf.conf ;

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

then i did:

csf -f ; csf -r ; systemctl stop csf.service ; systemctl stop lfd.service ; systemctl start csf.service ; systemctl start lfd.service ;

and yet when i do:

csf -p | grep 3306 ;

i still see this:

3306/tcp -/- - (9444/mysql) /usr/sbin/mysqld /usr/sbin/mysqld

any thoughts on what i might be doing wrong?

thank you.

EDIT:

going into /etc/my.cnf and toggling:

#skip-networking=0
skip-networking=1


and restarting mariadb seems to work fine, but i am surprised that csf firewall does not block port 3306 for me
 
Last edited:

Quags

Administrator
Staff member
From the outside can you telnet to port 3306, with csf on port 3306 not in tcp_in but skip-networking being 0

ips listed in /etc/csf/csf.allow will also bypass csf ports.

I haven't seen this behavior, so I would think its actually blocking it (but locally 3306 works) or the testing ip is bypassed in csf in the allow file.
 
Top