csf firewall seems to allow ports not open

hello -

i was trying to temporarily remove port 3306 from TCP_IN in the csf.conf file, but this seems to have no effect:

vi /etc/csf/csf.conf ;

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

then i did:

csf -f ; csf -r ; systemctl stop csf.service ; systemctl stop lfd.service ; systemctl start csf.service ; systemctl start lfd.service ;

and yet when i do:

csf -p | grep 3306 ;

i still see this:

3306/tcp -/- - (9444/mysql) /usr/sbin/mysqld /usr/sbin/mysqld

any thoughts on what i might be doing wrong?

thank you.


going into /etc/my.cnf and toggling:


and restarting mariadb seems to work fine, but i am surprised that csf firewall does not block port 3306 for me
Last edited:


Staff member
From the outside can you telnet to port 3306, with csf on port 3306 not in tcp_in but skip-networking being 0

ips listed in /etc/csf/csf.allow will also bypass csf ports.

I haven't seen this behavior, so I would think its actually blocking it (but locally 3306 works) or the testing ip is bypassed in csf in the allow file.