Rules priority

[jdbravo]

Hello,

We have been using this script and it has been working great. But today we found a couple problems:

Let's say that you create a docker image with the port TCP 8080 exposed, but this port is not part of TCP_IN list on the csf.conf. Because the idea is to be accessed only from the allowed IPs on csf.allow. Well, the script will add a rule that will accept ALL traffic to the port TCP 8080. Even if that port is intended to be a restrictive port. Any idea how can we solve this?

Another problem is, if we use LFD to block IPs that are trying to brute force. LFD will add a rule to the chains DENYIN and DENYOUT. But those rules are never going to be hitted because there is an ACCEPT rule in the DOCKER chain created by this script. In other words, an IP blocked by LFD will never be blocked because the chain DOCKER has precedence over DENYIN chain. Any way to solve this?

Thank you!

[Scott-Mc]

@jdbravo CSF has some base docker support by default now, you can set DOCKER="1" in /etc/csf/csf.conf and not need this script, which creates DNAT rules for all container ports (bypassing the CSF firewall as these are processed first). If you need to expose a proxy and get the clients IP you will need a script like this with DNAT rules. I have created a variant of this script and fixed this and most of the issues mentioned in this repo, it's at https://github.com/Scott-Mc/csf-docker if useful to you/anyone else that still uses this old repo.