Table of Contents
CSF commands for managing your server firewall.
1. Enable csf and lfd if previously disabled
csf -e Or csf --enable
2. Disable csf and lfd completely
csf -x Or csf --disable
3. Restart firewall rules
csf -r Or csf --restart
4. Start the firewall rules
csf -s Or csf --start
5. Flush/Stop firewall rules (Note: lfd may restart csf)
csf -f Or csf --stop
6. List/Show the IPv4 iptables configuration
csf -l Or csf --status
7. List/Show the IPv6 ip6tables configuration
csf -l6 Or csf --status6
You must have some ideas about the following configuration files for using some other csf commands.
csf.conf : Configuration file for controlling CSF. csf.allow : Allowed IP’s and CIDR addresses list on the firewall. csf.deny : Denied IP’s and CIDR addresses list on the firewall. csf.ignore : Ignored IP’s and CIDR addresses list on the firewall. csf.*ignore : The list of various ignore files of users, IP’s.
8. Allow an IP and add to /etc/csf/csf.allow
csf -a ip [comment] Or csf --add ip [comment]
You can add your comments in the square bracket. See the example below:
[root@server ~]# csf -a 6x.8xx.1x2.8x [My server] Adding 6x.8xx.1x2.8x to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 6x.8xx.1x2.8x -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 6x.8xx.1x2.8x
6x.8xx.1×2.8x – is the IP address and ‘My server’ inside the square bracket is the comment. You can check the /etc/csf/csf.allow file for more details:
[root@server ~]# grep 6x.8xx.1x2.8x /etc/csf/csf.allow ------ 6x.8xx.1x2.8x # [My server] - Thu Dec 19 23:16:27 2013 ------
9. Remove an IP from /etc/csf/csf.allow and delete rule
csf -ar Or csf --addrm ip
10. Deny an IP and add to /etc/csf/csf.deny
csf -d Or csf --deny ip [comment]
11. Unblock an IP and remove from /etc/csf/csf.deny
csf -dr Or csf --denyrm ip
12. Remove and unblock all entries in /etc/csf/csf.deny
csf -df Or csf --denyf
13. Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
csf -g Or csf --grep ip
Example:
[root@server ~]# csf -g 6x.8xx.1x2.8x Chain num pkts bytes target prot opt in out source destination ALLOWIN 1 0 0 ACCEPT all -- !lo * 6x.8xx.1x2.8x 0.0.0.0/0 ALLOWOUT 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 6x.8xx.1x2.8x
Temporary allow or deny of IP:
The following csf commands are using to allow or deny an IP address temporary from our server.
14. Displays the current list of temporary allow and deny IP entries with their TTL and comment
csf -t Or csf --temp
15. Add an IP to the temp IP allow list (default:inout)
csf -ta ip ttl [-p port] [-d direction] [comment] Or csf --tempallow ip ttl [-p port] [-d direction] [comment]
Where ttl is the time to live in seconds(Default value: 3600)
Example:
[root@server ~]# csf -ta 66.8x.1xx.xx ACCEPT all opt -- in !lo out * 66.8x.1xx.xx -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 66.8x.1xx.xx csf: 66.8x.1xx.xx allowed on port * for 3600 seconds in and outbound
16. Add an IP to the temp IP ban list.
csf -td ip ttl [-p port] [-d direction] [comment] Or csf --tempdeny ip ttl [-p port] [-d direction] [comment]
Example:
[root@server ~]# csf -td 66.8x.1xx.xx DROP all opt -- in !lo out * 66.8x.1xx.xx -> 0.0.0.0/0 csf: 66.8x.1xx.xx blocked on port * for 3600 seconds inbound
17. Remove an IP from the temporary IP ban or allow list
csf -tr Or csf --temprm ip
18. Flush all IPs from the temporary IP entries
csf -tf Or csf --tempf
19. General commands:
csf -v Or csf --version : Show csf version csf -c Or csf --check : Check for updates to csf but do not upgrade csf -u Or csf --update : Check for updates to csf and upgrade if available csf -h Or csf --help : For help
That’s it..