{"id":1130,"date":"2022-11-30T19:22:56","date_gmt":"2022-11-30T17:22:56","guid":{"rendered":"https:\/\/cln.io\/blog\/?p=1130"},"modified":"2022-12-01T13:56:09","modified_gmt":"2022-12-01T11:56:09","slug":"imunify360-adding-ports-to-the-firewall","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/imunify360-adding-ports-to-the-firewall\/","title":{"rendered":"imunify360: Adding a firewall port(s) allow\/override using CLI commands and\/or config files"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Since I have put my <a href=\"https:\/\/cln.io\/blog\/setting-up-cloudflare-zero-trust-tunnels-with-plesk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Plesk host behind a Cloudflare tunnel<\/a>, I wish no longer to allow direct IP address access to the host.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On this page<\/p>\n\n\n\n<nav aria-label=\"Table of Contents\" class=\"wp-block-table-of-contents\"><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/imunify360-adding-ports-to-the-firewall\/#ovh-firewall-vs-os-firewall\">OVH firewall vs OS firewall<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/imunify360-adding-ports-to-the-firewall\/#imunify360-firewall\">Imunify360 firewall<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/imunify360-adding-ports-to-the-firewall\/#using-imunify360-cli-to-add-a-port-to-the-firewall-config\">Using imunify360 CLI to add a port to the firewall config<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/imunify360-adding-ports-to-the-firewall\/#using-the-imunify360-config-files-to-add-a-port\">Using the imunify360 config files to add a port<\/a><\/li><\/ol><\/nav>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ovh-firewall-vs-os-firewall\">OVH firewall vs OS firewall<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In my case, I can use OVH&#8217;s firewall to block all access to the IP, but I can also use the host&#8217;s firewall to block all ports, in my case I let Imunify360 handle the IPTables<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-47-1024x486.png\" alt=\"\" class=\"wp-image-1147\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-47-1024x486.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-47-300x142.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-47-768x364.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-47.png 1029w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">example of a possible solution to block all ports by using <a href=\"https:\/\/docs.ovh.com\/ie\/en\/dedicated\/firewall-network\/\" target=\"_blank\" rel=\"noreferrer noopener\">OVH&#8217;s network-level firewall<\/a><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"imunify360-firewall\">Imunify360 firewall<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-39.png\" alt=\"\" class=\"wp-image-1131\" width=\"800\" height=\"821\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-39.png 905w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-39-292x300.png 292w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-39-768x788.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption class=\"wp-element-caption\">before closing all the ports, the current list of open ports<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">But before closing those ports with the firewall I needed a way to re-enable the ports if for whatever reason I needed direct access again (not using the Cloudflare tunnel or the tailscale tunnel) for me this would be the OVH KVM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We have two options to achieve this<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using the imunify360 CLI to add a port to the config<\/li>\n\n\n\n<li>Using the imunify360 config files to add a port (probably easier)<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">NOTE<\/p>\n<cite>I use the firewall in &#8220;all close, except specified&#8221; mode a.k.a port_blocking_mode: DENY<\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-imunify360-cli-to-add-a-port-to-the-firewall-config\">Using imunify360 CLI to add a port to the firewall config<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">at the moment of writing, there is no dedicated firewall command for the CLI.<br>So we require piping output and JQ magic to get the CLI to do what we want.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get the current open ports with the imunify CLI:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">imunify360-agent config show --json | jq '.items.FIREWALL.TCP_IN_IPv4'<\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"694\" height=\"94\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-40.png\" alt=\"\" class=\"wp-image-1134\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-40.png 694w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-40-300x41.png 300w\" sizes=\"auto, (max-width: 694px) 100vw, 694px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">now we have to add our port to the list<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">jq '. |= . + [\"12345\"]'\nimunify360-agent config show --json | jq '.items.FIREWALL.TCP_IN_IPv4' | jq '. |= . + [\"12345\"]'<\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"131\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-41.png\" alt=\"\" class=\"wp-image-1135\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-41.png 901w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-41-300x44.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-41-768x112.png 768w\" sizes=\"auto, (max-width: 901px) 100vw, 901px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">now we have to take that array of JSON and append it into TCP_IN_IPv4 object<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">imunify360-agent config show --json | jq '.items.FIREWALL.TCP_IN_IPv4' | jq '. |= . + [\"12345\"]' | jq -c '{FIREWALL: {TCP_IN_IPv4: .}}'<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"52\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-42-1024x52.png\" alt=\"\" class=\"wp-image-1136\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-42-1024x52.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-42-300x15.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-42-768x39.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-42.png 1220w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now let&#8217;s get this into the config itself, which brings us to the final command<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">imunify360-agent config update $(imunify360-agent config show --json | jq '.items.FIREWALL.TCP_IN_IPv4' | jq '. |= . + [\"8443\"]' | jq -c '{FIREWALL: {TCP_IN_IPv4: .}}')<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Testing the command <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"905\" height=\"772\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-43.png\" alt=\"\" class=\"wp-image-1138\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-43.png 905w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-43-300x256.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-43-768x655.png 768w\" sizes=\"auto, (max-width: 905px) 100vw, 905px\" \/><figcaption class=\"wp-element-caption\">No TCP inbound ports<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">executing or CLI command and checking the interface<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">imunify360-agent config update $(imunify360-agent config show --json | jq '.items.FIREWALL.TCP_IN_IPv4' | jq '. |= . + [\"8443\"]' | jq -c '{FIREWALL: {TCP_IN_IPv4: .}}')<\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"847\" height=\"931\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-44.png\" alt=\"\" class=\"wp-image-1139\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-44.png 847w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-44-273x300.png 273w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-44-768x844.png 768w\" sizes=\"auto, (max-width: 847px) 100vw, 847px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">We can also request the current config and see if our port is there<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">imunify360-agent config show --json -v | grep -C 10 \"FIREWALL\" <\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"653\" height=\"372\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-45.png\" alt=\"\" class=\"wp-image-1142\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-45.png 653w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-45-300x171.png 300w\" sizes=\"auto, (max-width: 653px) 100vw, 653px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">So that works! we can now use this command to enable our ports again in case we need direct IP access again and not over tunnels\/vpn<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"using-the-imunify360-config-files-to-add-a-port\">Using the imunify360 config files to add a port<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;m not too much of a fan of piping output to modifiers and back to inputs &#x1f643;<br>Another way to open ports is by opening the ports in the config and restarting imunify.<br>there is an <a href=\"https:\/\/docs.imunify360.com\/features\/#overridable-config\" target=\"_blank\" rel=\"noreferrer noopener\">overridable config<\/a> for imunify360<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nano \/etc\/sysconfig\/imunify360\/imunify360.config.d\/90-local.config<\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"902\" height=\"533\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-46.png\" alt=\"\" class=\"wp-image-1143\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-46.png 902w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-46-300x177.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-46-768x454.png 768w\" sizes=\"auto, (max-width: 902px) 100vw, 902px\" \/><figcaption class=\"wp-element-caption\">just add entries under TCP_IN_IPv4<\/figcaption><\/figure>\n<\/div>\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">service imunify360 restart\nsystemctl restart imunify360.service<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">both methods work!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-1024x683.jpg\" alt=\"\" class=\"wp-image-1145\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-1024x683.jpg 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-300x200.jpg 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-768x512.jpg 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-1536x1024.jpg 1536w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/kenny-eliason-Cmz06-0btw-unsplash-2048x1365.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Photo by <a href=\"https:\/\/unsplash.com\/@neonbrand?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\" target=\"_blank\" rel=\"noreferrer noopener\">Kenny Eliason<\/a> on <a href=\"https:\/\/unsplash.com\/s\/photos\/firewall?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\" target=\"_blank\" rel=\"noreferrer noopener\">Unsplash<\/a><\/figcaption><\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Since I have put my Plesk host behind a Cloudflare tunnel, I wish no longer to allow direct IP address access to the host. On this page OVH firewall vs OS firewall In my case, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,26,37],"tags":[],"class_list":["post-1130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-it","category-networking"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=1130"}],"version-history":[{"count":12,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1130\/revisions"}],"predecessor-version":[{"id":1220,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1130\/revisions\/1220"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/1144"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=1130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=1130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=1130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}