Install CSF (ConfigServer Security & Firewall) in front of Mailcow / First try ngnix 504

[pbaeumel]

Dear @andryyy,

yesterday I tried to install csf firewall on my Mailcow-Server. This is because I´m much more a GUI-user than handling professionally through shell ;-)

Unfortunately and despite the fact that I had opened up the follwoing ports: TCP_IN: 20,21,22,25,80,110,143,443,465,587,993,995,2244,3306,4190,10000 TCP_OUT: 20,21,22,25,80,110,143,443,465,587,993,995,2244,3306,4190,10000 UDP_IN: 20,21,53,68,323,10000 UDP_OUT: 20,21,53,113,123,33434:33523

I got a 504 error from ngnix after enabeling the csf-firewall. By disabeling the csf-firewall again the problem vanishes.

So I assume that their might be additional ports in use (not listed in docs and not shown as listening ports on the server?) as csf must have blocked something.

Maybe you could provide a hint?

Best regards, MacGyver

[mkuron]

It looks like CSF modifies iptables rules, which likely doesn’t play well with Docker (see #908). This is not a Mailcow issue. In your case, CSF is probably blocking container-to-container traffic, but most likely there will be more trouble. In general, you should try to configure your system such that you don’t even need a firewall as that will save you lots of headaches with Docker: a machine just running Mailcow in Docker plus an SSH server on the machine definitely doesn’t need a firewall.

[laymonk]

Just in case this might be useful to anyone, I use csf in front of mailcow. You just need to force csf to only monitor non-docker interfaces.

# Set in csf.conf
ETH_DEVICE = "eth0"
#or
ETH_DEVICE = "eth+"

[andryyy]

Thanks, does it still work for you?

[MaximilianKohler]

Neither ETH_DEVICE = "eth0" or ETH_DEVICE = "eth+" worked for me. Neither did DOCKER = "1".