I would like the ability to manage iptables firewall rules from cPanel. That way, I wouldn't need to install Webmin or try to manage them from the command line.
Firewall integration
Open Discussion
As a server administrator and webhosting provider I would like cPanel to expand and deepen its firewall integration (specifically with iptables and firewalld), adding an interface in WHM that would allow root and root-enabled resellers to manage firewall rules.
This interface would likely also strongly impact (potentially obsolete) the Host Access Control interface, and strongly impact cPHulkD's interface.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This feature will protect the services:
in descending order of often attacks when sshd have the largest amount of attacks on hourly basis.
This feature will protect the services:
in descending order of often attacks when sshd have the largest amount of attacks on hourly basis.
cPanel trying to be everything to everyone will just reduce the speed of improvements to core services such as web server and interface improvements. There isn't really a good reason for cPanel to "reinvent the wheel" by trying to replace CSF which is such a fantastic free application already.
cPanel trying to be everything to everyone will just reduce the speed of improvements to core services such as web server and interface improvements. There isn't really a good reason for cPanel to "reinvent the wheel" by trying to replace CSF which is such a fantastic free application already.
CSF is a good tool but not perfect. if it will have the option to block all the attacks above and if it have quick and easy install it will give super security with small system effort
CSF is a good tool but not perfect. if it will have the option to block all the attacks above and if it have quick and easy install it will give super security with small system effort
Seem like it could be a good idea if cPanel were to concentrate on a firewall interface for firewalld that comes installed with Centos 7. Using iptables and CSF requires extra installs and configuring, but most single server admins do not need anything that complicated. This would be especially helpful if cphulk were to be integrated with it.
Seem like it could be a good idea if cPanel were to concentrate on a firewall interface for firewalld that comes installed with Centos 7. Using iptables and CSF requires extra installs and configuring, but most single server admins do not need anything that complicated. This would be especially helpful if cphulk were to be integrated with it.
I think an in-house firewall solution would be amazing and would complement cPHulk very well. In fact, you could turn cPHulk itself into a complete firewall solution.
I think an in-house firewall solution would be amazing and would complement cPHulk very well. In fact, you could turn cPHulk itself into a complete firewall solution.
A well known plug-in provides all of the requested features......and much more ! cPanel would be better served by addressing features with no current interface, or by adding new features or enhancing existing features that no one else has written plug-ins for.
A well known plug-in provides all of the requested features......and much more ! cPanel would be better served by addressing features with no current interface, or by adding new features or enhancing existing features that no one else has written plug-ins for.
If rpvw is referring to CSF I would reiterate that it does not use firewallD. (If there is another that is firewallD compatible, I am unaware of it.)
I created a duplicate feature request for a firewallD version (because I missed acenetgeorge's reference to firewallD above, thanks for merging, benny), so I'll re-post my thoughts from it below:
"Since CentOS now is going with firewallD as the default it would be nice (and I think pretty straightforward) to have an interface to run the various command line commands (firewall_cmd) to display/create/edit/remove rules in services. Also to create services and zones, and assign services to zones, and set the default zone; as well as basic firewalD control (restaart,/enable/disable). Adding permanence control would be good also. All of these things are easily done via command line, but managing rules with an overall view would be easier/faster in a GUI, and dealing with things like IP blocking would be quicker as well.
To me it seems pretty simple since the firewall_cmd is already available, it's simply a matter of automating the execution... I would think."
If rpvw is referring to CSF I would reiterate that it does not use firewallD. (If there is another that is firewallD compatible, I am unaware of it.)
I created a duplicate feature request for a firewallD version (because I missed acenetgeorge's reference to firewallD above, thanks for merging, benny), so I'll re-post my thoughts from it below:
"Since CentOS now is going with firewallD as the default it would be nice (and I think pretty straightforward) to have an interface to run the various command line commands (firewall_cmd) to display/create/edit/remove rules in services. Also to create services and zones, and assign services to zones, and set the default zone; as well as basic firewalD control (restaart,/enable/disable). Adding permanence control would be good also. All of these things are easily done via command line, but managing rules with an overall view would be easier/faster in a GUI, and dealing with things like IP blocking would be quicker as well.
To me it seems pretty simple since the firewall_cmd is already available, it's simply a matter of automating the execution... I would think."
I should imagine that if CSF determine that firewallID zones/services has any benefits over their current chains/rules based system, they will rapidly adopt it !
Bear in mind that it is supplied as a disabled service in CentOS 7 and needs to be enabled. As things stand, I believe this service is incompatible with the current CFS and, more importantly, LFD processes. I also cannot find if firewallD is compatible with ipset, perhaps someone can clear that up?
Once all the distros that cPanel supports have firewallD installed in them by default, the question of a cPanel interface to firewallD can be revisited. Having the option to install CSF and then enable firewallD under cPanel control is a disaster waiting to happen that WILL happen, because so few people bother to read the documentation before clicking. So, it falls to cPanel to protect their users from themselves by having to include code in their system to examine if CSF is installed and therefore we cant enable firewallD. or if firewallD is active we wont allow the installation of CSF ................... I still maintain that cPanel have better things to code than trying to reinvent the wheel ................ leave it to CSF to look after the firewall and let cPanel do what they do best (and where is the coffee module huh,huh,huh ?)
As a couple of last thoughts, will firewallD still be around when iptables is dropped and we all go over to nftables? and for how long will the developers of firewallD maintain the project? and is firewallD really targeted and suitable for complex server deployment and control, or rather at desktop use for novices?
I should imagine that if CSF determine that firewallID zones/services has any benefits over their current chains/rules based system, they will rapidly adopt it !
Bear in mind that it is supplied as a disabled service in CentOS 7 and needs to be enabled. As things stand, I believe this service is incompatible with the current CFS and, more importantly, LFD processes. I also cannot find if firewallD is compatible with ipset, perhaps someone can clear that up?
Once all the distros that cPanel supports have firewallD installed in them by default, the question of a cPanel interface to firewallD can be revisited. Having the option to install CSF and then enable firewallD under cPanel control is a disaster waiting to happen that WILL happen, because so few people bother to read the documentation before clicking. So, it falls to cPanel to protect their users from themselves by having to include code in their system to examine if CSF is installed and therefore we cant enable firewallD. or if firewallD is active we wont allow the installation of CSF ................... I still maintain that cPanel have better things to code than trying to reinvent the wheel ................ leave it to CSF to look after the firewall and let cPanel do what they do best (and where is the coffee module huh,huh,huh ?)
As a couple of last thoughts, will firewallD still be around when iptables is dropped and we all go over to nftables? and for how long will the developers of firewallD maintain the project? and is firewallD really targeted and suitable for complex server deployment and control, or rather at desktop use for novices?
I agree with the logic of rpvw, but the cPsnel docs say this:
Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon.
I can find posts on the cPAnel help forum about ipTables vs. CSF vs. firewallD, and also (unofficial) how tos on how to switch to CSF from firewallD on CentOS 7, but the cPanel response on those is along the lines of "try it and let us know how it works."
On one hand cPanel admonishes "only use the firewall utilities" but then point us to (unofficial) posts on how to not do that, and to links to RHEL docs on firewallD (which also include how to incorporate iptables use along with or even instead of firewallD, no mention of CSF of course).
Part of me feels like firewallD is the way to go (my current configuration) because it appears to be the direction the OS is going (though it comes with no firewall enabled), and another part of me feels like CSF would be more desirable as a management tool and just as effective as firewallD.
So this leaves me wanting to ask cPanel for an official stance on this. cPanel, time to weigh in...!
I agree with the logic of rpvw, but the cPsnel docs say this:
Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon.
I can find posts on the cPAnel help forum about ipTables vs. CSF vs. firewallD, and also (unofficial) how tos on how to switch to CSF from firewallD on CentOS 7, but the cPanel response on those is along the lines of "try it and let us know how it works."
On one hand cPanel admonishes "only use the firewall utilities" but then point us to (unofficial) posts on how to not do that, and to links to RHEL docs on firewallD (which also include how to incorporate iptables use along with or even instead of firewallD, no mention of CSF of course).
Part of me feels like firewallD is the way to go (my current configuration) because it appears to be the direction the OS is going (though it comes with no firewall enabled), and another part of me feels like CSF would be more desirable as a management tool and just as effective as firewallD.
So this leaves me wanting to ask cPanel for an official stance on this. cPanel, time to weigh in...!
Replies have been locked on this page!