ConfigServer Firewall (csf)

We have developed an SPI iptables firewall that is straight-forward, easy and flexible to configure and secure with extra checks to ensure smooth operation. It is preconfigured to work on a cPanel server with all the standard cPanel ports open. It also auto-configures your SSH port if it’s non-standard on
installation. csf can be used on any (supported – see the website) generic Linux OS.

…..
4. csf Command Line Options

You can view the csf command line options by using:

# csf -h

Usage: /usr/sbin/csf [option] [value]

Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules
-r, --restart Restart firewall rules
-a, --add ip Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip Remove and unblock an IP address in /etc/csf.deny
-c, --check Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP address to the temporary IP ban list. ttl is how
long to blocks for in seconds. Optional port. Optional
direction of block can be one of in, out or inout. Default
is in
-tf, --tempf Flush all IP addresses from the temporary IP ban list
-u, --update Checks for updates to csf+lfd and performs an upgrade if
available
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version

These options allow you to easily and quickly control and view csf. All the configuration files for csf are in /etc/csf and include:

csf.conf – the main configuration file, it has helpful comments explaining what each option does
csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall

If you modify any of the files listed above, you will need to restart csf to have them take effect. If you use the command line options to add or deny IP addresses, then csf automatically does this for you.

Both csf.allow and csf.deny can have comments after the IP address listed. The comments must be on the same line as the IP address otherwise the IP rotation of csf.deny will remove them.

If editing the csf.allow or csf.deny files directly, either from shell or the WHM UI, you should put a # between the IP address and the comment like this:

11.22.33.44 # Added because I don’t like them

You can also include comments when using the csf -a or csf -d commands, but in those cases you must not use a # like this:

csf -d 11.22.33.44 Added because I don’t like them

If you use the shell commands then each comment line will be timestamped. You will also find that if lfd blocks an IP address it will add a descriptive comment plus timestamp.