I have been reading a lot of questions around the net about what ports cPanel needs open for it to work.

I know that many of you already know this... but for you who don't, here it is:

# Common ingress (inbound) TCP ports IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087,2095,2096,3306,6666"

# Common ingress (inbound) UDP ports IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any IG_ICMP_TYPES="3,5,11,0,30,8"

# Common egress (outbound) TCP ports EG_TCP_CPORTS="21,25,26,37,43,53,80,113,465,873,2089,3306"

# Common egress (outbound) UDP ports EG_UDP_CPORTS="20,21,53,465,873"

# Common ICMP (outbound) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any EG_ICMP_TYPES="all"

If there are any additional ports required by SM and/or TP, please somebody list them.

Check out into ORBIT !

If you don't need/use external mysql access you probably shouldn't open it up... it can be a security risk.

2084 is the entropy chat port.

what does that mean? are there ports other than listed that need to be open? I received an email saying allow full access to 3 ip address ranges but i dont see that option in apf maybe im missing it?

allow_hosts.rules

ok thanks,
one more question whats the correct formot for allowing the ip address range tcp/udp access to all ports?

does just putting the following work?

s=12.96.160.0/24
d=12.96.160.0/24

The allow_hosts.rules file has text in it that tells you the syntax you'll need to use for adding custom rules... s = source and d = destination and so on.

guess you couldnt tell i read that by my posting s= and d= ? My thing was i didnt fully understand it but thanks for not answering my question.

well, I read that text and it was enough for me to create my rules... I answered your question, since you asked "one more question whats the correct formot for allowing the ip address range tcp/udp access to all ports?". The examples in the header will help you figure out what kind of rule you need for that.

I'd guess you're confused about the source/destination part?



Yes... for the first one, since you're saying to allow everything coming from 12.96.160.0/24 on all ports... the second one doesn't make sense though, because you don't have the 12.96.160.0/24 destination ips bound to your server, nor are they passing through your server (as if it was a firewall), so it'll never see any packets matching that.

The incoming packets have a source address (that's where they came from), and a destination address, where they're going... sooooo... do these make more sense now?

# Examples:
# inbound to destination port 22 from 24.202.16.11
# tcp:in:d=22:s=24.202.16.11
#
# outbound to destination port 23 to destination host 24.2.11.9
# out:d=23:d=24.2.11.9
#
# inbound to destination port 3306 from 24.202.11.0/24
# d=3306:s=24.202.11.0/24

Just drop the IP ranges into allow_hosts.rules.
Example of mine:

yep... that works for allow_hosts.rules, as long as you're not too paranoid. But he should really understand how the rules work, mostly for when blocking... as an example, you may want to block all of china, say, from your mailserver, but it might not be a good idea to block them from your webserver. And you might also want to block everyone, except yourself, from accessing your ssh port. I block some bad robots, etc from accessing my webserver, but still allow them to send me mail (which they may never do, but still).

I just block everyone who isn't in my allow_hosts.rules, all the IP's in there are IP's of trusted people who need full access anyway

ok so it is just the ip string no s= or any of that.
as for not making sense my thought behind the d= was that it would allow all transmissions through then ports that areblocked to reply that to that set of addresses.

If you're running DiskSync or NAS, you might need to add those IP's.

For instance, I also have the following in my /etc/apf/allow_hosts.rules



-- David