Control Web Panel

Security => CSF Firewall => Topic started by: ericofreitas on January 31, 2024, 09:52:46 PM

Title: Release firewall by domain
Post by: ericofreitas on January 31, 2024, 09:52:46 PM

Hi!
I have a client and he use an app that make download every days of the .exe and use ftBinary in your app.
Every day is very slow and not finish download this exe but if I disable firewall the routine work fine.
I disable modsecurity, but fw i can´t disable fw too for all server.. Can I disable only this domain in fw? or i can do other solution? I can´t relase ip´s because my client will change yours clients constantly and all have only variable ip.
Thanks!

Title: Re: Release firewall by domain
Post by: overseer on January 31, 2024, 10:27:09 PM

You can whitelist domains in CSF:
https://www.plothost.com/kb/whitelist-hostnames-csf/ (https://www.plothost.com/kb/whitelist-hostnames-csf/)
If your client has a static IP, you can whitelist them by IP address.

Title: Re: Release firewall by domain
Post by: ericofreitas on January 31, 2024, 10:33:37 PM

I tried to whitelist domain and got this error: Error: innovaresystem.com.br is not a valid IPv4 or IPv6 address!
Don´t have static ip all clientes

Title: Re: Release firewall by domain
Post by: Starburst on January 31, 2024, 11:09:32 PM

You can only whitelist IPv4 or IPv6 in CSF/LFD, not domain names.

Ask them for the IP they will be connecting from (hopefully static), and whitelist, and you should be good to go.
If they don't know, have them visit: https://whatismyipaddress.com/

Title: Re: Release firewall by domain
Post by: ericofreitas on February 01, 2024, 10:02:52 PM

The problem is that they have many clients and all of them not have static ip and sometimes get new clients, sometimes lose others clients :/

Title: Re: Release firewall by domain
Post by: Starburst on February 02, 2024, 01:09:12 AM

Then you will have to setup a VPN server for them to connect thru, and whitelist the IP from that server.

Or they will have to get a static IP from their ISP.

Title: Re: Release firewall by domain
Post by: overseer on February 02, 2024, 04:31:47 AM

Or back to my link above, it references dynamic DNS. So each end client could run dynamic DNS update software (if their IPs are truly dynamic) and CSF can whitelist those dynamic DNS names. What is the scale we are referencing? 10 users? 100?

Title: Re: Release firewall by domain
Post by: Starburst on February 02, 2024, 06:23:52 AM

Problem with whitelisting the IP's for say DynDNS. No-IP, etc. is opening the server up to attacks, since you can't control the access, and allot of script kiddies use those services as well.
Just like the TOR Exits.

Title: Re: Release firewall by domain
Post by: ericofreitas on February 02, 2024, 01:40:11 PM

I was checking and it turns out that if he removes the binary type when downloading the exe it corrupts, so I asked him to try compressing the file, downloading it and then decompressing it to see if we can use it without being a binary transfer. If it works, I can leave the firewall active, but I won't have actually solved the problem.

Responding to an average of around 100 customers

Title: Re: Release firewall by domain
Post by: Starburst on February 02, 2024, 04:51:52 PM

With 100 customers, that would defiantly justify setting up a VPN for them.

It's easy enough with AL 9 and OpenVPN.