Config server firewall (CSF firewall) is a more sophisticated firewall compared to others as there are more configuration options. Installation and configuration are easy to do – even for inexperienced administrators. This article will take you through the steps to install and configure CSF firewall with its security plugin Login Failure Daemon (LFD)

CSF Command Line Options

A. Ip specification in Config Server Firewall:

* To check is the Specific IP is Blocked OR Allowed :-

[email protected][/]# grep 92.48.65.28 / etc/csf/csf*
/etc/csf/csf.allow: 92.48.65.28 # Manually allowed – Wed Mar 20 11:30:04 2013

* To Allow Specific IP :-

[email protected][~]# csf -a 10.20.30.96
Adding 10.20.30.96 to csf.allow and iptables ACCEPT…
ACCEPT all opt –in !lo out* 10.20.30.96 ? 0.0.0.0/0
ACCEPT all opt –in * out !lo 0.0.0.0/0 ? 10.20.30.96

*To Block Specific IP :-

[email protected][~]# csf -d 11.21.30.86
Adding 10.20.30.96 to csf.deny and iptables DROP…
DROP all opt –in !lo out* 11.21.30.86 ? 0.0.0.0/0
DROP all opt –in * out !lo 0.0.0.0/0 ? 11.21.30.86

* After Allow or Block an IP, you must reload the rules with the following command :-
csf -r

B. Configuration files:-

Users must check in /etc/csf for all the configuration files for csf:
csf.conf : The main configuration file, it has helpful comments explaining what every option does
csf.allow : A list of IP’s and CIDR addresses that should always be allowed through the firewall
csf.deny : A list of IP’s and CIDR addresses that should never be allowed through the firewall
csf.ignore : A list of IP’s and CIDR addresses that lfd should ignore and not not block if detected
csf.*ignore : Various ignore files that list files, users, IP’s that lfd should ignore.

Restart csf after modify any of the files listed above to have them take effect.

Users can comments after the both IP address listed csf.allow and csf.deny. But make sure that the comments must be on the single line as the IP address else the IP rotation of csf.deny would ignore them.

You should put a # between the IP address and the comment like this:
e.g :- 10.20.30.96 # blocked because of Abuse Complaint

You can also include comments when utilizing the csf -a or csf -d commands, but in those cases you must not utilize a # like this:-
e.g :- csf -d 11.22.33.44 blocked because of Abuse Complaint.

C. csf command line options :-

[email protected] [~]# csf -h
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, –help Show this message
-l, –status List/Show iptables configuration
-l6, –status6 List/Show ip6tables configuration
-s, –start Start firewall rules
-f, –stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, –restart Restart firewall rules
-a, –add ip Allow an IP and add to /etc/csf.allow
-ar, –addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, –deny ip Deny an IP and add to /etc/csf.deny
-dr, –denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, –denyf Remove and unblock all entries in /etc/csf.deny
-g, –grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, –temp Displays the current list of temp IP entries and their TTL
-tr, –temprm ip Remove an IPs from the temp IP ban and allow list
-ta, –tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, –tempf Flush all IPs from the temp IP entries
-c, –check Check for updates to csf but do not upgrade
-u, –update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, –disable Disable csf and lfd
-e, –enable Enable csf and lfd if previously disabled
-v, –version Show csf version

Users can easily manage the csf with the above options.