CSF commands for Unix/Linux servers

csf commands. 

Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers.

CSF has wide range of options to manage Linux firewall via comman-line and from the control panel. The csf installation includes preconfigured configurations and control panel UI’s for cPanel, DirectAdmin and Webmin.

The installation ans usage of CSF is quit simple.

Working principle of CSF

The idea with csf, as with most iptables firewall configurations, is to block everything and then allow through only those connections that you want. This is done in iptables by DROPPING all connections in and out of the server on all protocols. Then allow traffic in and out from existing connections. Then open ports up in and outgoing for both TCP and UDP individually.

We already discussed about the installation steps of CSF on Linux server. Click here for  Install and configure csf on CentOS.

After the successful installation of CSF you need to disable the TESTING mode to work the CSF properly on your server.

You can change it from the configuration file itself.

[root@server #] vim /etc/csf/csf.conf
Then change the value of 'TESTING' from 1 to 0

Some useful CSF commands for managing your server firewall.

1. Enable csf and lfd if previously disabled

csf -e 
Or 
csf --enable

2. Disable csf and lfd completely

csf -x
Or
csf --disable

3. Restart firewall rules

csf -r 
Or 
csf --restart

4. Start the firewall rules

csf -s 
Or 
csf --start

5. Flush/Stop firewall rules (Note: lfd may restart csf)

csf -f 
Or 
csf --stop

6. List/Show the IPv4 iptables configuration

csf -l 
Or 
csf --status

7. List/Show the IPv6 ip6tables configuration

csf -l6 
Or 
csf --status6

You must have some ideas about the following configuration files for using some other csf commands.

csf.conf : Configuration file for controlling CSF.
csf.allow : Allowed IP’s and CIDR addresses list on the firewall.
csf.deny : Denied IP’s and CIDR addresses list on the firewall.
csf.ignore : Ignored IP’s and CIDR addresses list on the firewall.
csf.*ignore : The list of various ignore files of users, IP’s.

8. Allow an IP and add to /etc/csf/csf.allow

csf -a ip [comment] 
Or 
csf --add ip [comment]

You can add your comments in the square bracket. See the example below:

[root@server ~]# csf -a 6x.8xx.1x2.8x [My server]
Adding 6x.8xx.1x2.8x to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  6x.8xx.1x2.8x  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 6x.8xx.1x2.8x

6x.8xx.1×2.8x – is the IP address and ‘My server’ inside the square bracket is the comment. You can check the /etc/csf/csf.allow file for more details:

[root@server ~]# grep 6x.8xx.1x2.8x /etc/csf/csf.allow
------
6x.8xx.1x2.8x # [My server] - Thu Dec 19 23:16:27 2013
------

9. Remove an IP from /etc/csf/csf.allow and delete rule

csf -ar 
Or 
csf --addrm ip

10. Deny an IP and add to /etc/csf/csf.deny

csf -d 
Or 
csf --deny ip [comment]

11. Unblock an IP and remove from /etc/csf/csf.deny

csf -dr 
Or 
csf --denyrm ip

12. Remove and unblock all entries in /etc/csf/csf.deny

csf -df 
Or 
csf --denyf

13. Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)

csf -g 
Or 
csf --grep ip

Example:

[root@server ~]# csf -g 6x.8xx.1x2.8x
Chain            num   pkts bytes target     prot opt in     out     source               destination
ALLOWIN          1        0     0 ACCEPT     all  --  !lo    *       6x.8xx.1x2.8x        0.0.0.0/0
ALLOWOUT         1        0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            6x.8xx.1x2.8x

Temporary allow or deny of IP:
The following csf commands are using to allow or deny an IP address temporary from our server.

14. Displays the current list of temporary allow and deny IP entries with their TTL and comment

csf -t 
Or 
csf --temp

15. Add an IP to the temp IP allow list (default:inout)

csf -ta ip ttl [-p port] [-d direction] [comment]
Or
csf --tempallow ip ttl [-p port] [-d direction] [comment]

Where ttl is the time to live in seconds(Default value: 3600)

Example:

[root@server ~]# csf -ta 66.8x.1xx.xx
ACCEPT  all opt -- in !lo out *  66.8x.1xx.xx  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 66.8x.1xx.xx
csf: 66.8x.1xx.xx allowed on port * for 3600 seconds in and outbound

16. Add an IP to the temp IP ban list.

csf -td ip ttl [-p port] [-d direction] [comment]
Or
csf --tempdeny ip ttl [-p port] [-d direction] [comment]

Example:

[root@server ~]# csf -td 66.8x.1xx.xx
DROP  all opt -- in !lo out *  66.8x.1xx.xx  -> 0.0.0.0/0
csf: 66.8x.1xx.xx blocked on port * for 3600 seconds inbound

17. Remove an IP from the temporary IP ban or allow list

csf -tr 
Or 
csf --temprm ip

18. Flush all IPs from the temporary IP entries

csf -tf 
Or 
csf --tempf

19. General commands:

csf -v Or csf --version : Show csf version
csf -c Or csf --check : Check for updates to csf but do not upgrade
csf -u Or csf --update : Check for updates to csf and upgrade if available
csf -h Or csf --help : For help

That’s it.. 🙂

Related topics

1. What is iptables in Linux?

What is iptables in Linux? We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules into it.

In this article I am trying to explain the basics of iptables with some common practices. Read more..

2. Install and configure csf on CentOS
3. Csf command not found in WHM/cPanel server