The standard Linux firewall is called iptables, whilst it is extremely powerful and offers the ability to customise the rules to improve the overall security of your server, it is often seen as being extremely complex to manage.
ConfigServer Firewall, also known as CSF, is an advanced firewall configuration script for Linux which enables you to manage the configuration of iptables all from within its easy to use intuitive GUI for managing the firewall settings giving improved security of your Linux server.
In this guide, we will show you essential commands detailing how to manage your individual and cluster ConfigServer Firewall (CSF) servers using the SSH command line. The ConfigServer team have enabled all CSF functionality to be managed easily through the command line which many find easier. We have presented the commands in a cheat sheet format, meaning we will show you the CSF command, describe what it does and show you an example.
CSF Commands
| CSF Commands | ||
|---|---|---|
| Command | Description | Example |
| csf -h | Show the help message | [root@vpsb ~]# csf -h |
| csf -v | Show CSF version | [root@vpsb ~]# csf -v |
| csf -c | Check for updates to csf but do not upgrade | [root@vpsb ~]# csf -c |
| csf -u | Check for updates to csf nd upgrade if available | [root@vpsb ~]# csf -u |
| csf -e | Enable CSF | [root@vpsb ~]# csf -e |
| csf -x | Disable CSF | [root@vpsb ~]# csf -x |
| csf -r | Restart CSF Firewall | [root@vpsb ~]# csf -r |
| csf -f | Flush/Stop firewall rules (note: lfd may restart csf) | [root@vpsb ~]# csf -f |
| csf -ra | Restart CSF & LFD Firewall | [root@vpsb ~]# csf -ra |
| csf -a [IP] [Comment] | Allow an IP and add to /etc/csf/csf.allow | [root@vpsb ~]# csf -a 192.168.0.1 Home IP |
| csf -ar [IP] | Remove an IP from /etc/csf/csf.allow | [root@vpsb ~]# csf -ar 192.168.0.1 Home IP |
| csf -td [IP] 86400 [Comment] | Place an IP on the temporary deny list in /csf/csf.tempban for 24 hours, (defined in seconds) | [root@vpsb ~]# csf -td 192.168.0.1 86400 Port Scan |
| csf -tr [IP] | Remove an IP from the temporary IP ban or allow list. | [root@vpsb ~]# csf -tr 192.168.0.1 |
| csf -tf | Flush all IPs from the temporary IP entries | [root@vpsb ~]# csf -tf |
| csf -d [IP] [Comment] | Deny an IP and add to /etc/csf/csf.deny | [root@vpsb ~]# csf -d 192.168.0.1 Block This IP |
| csf -dr [IP] | Unblock an IP and remove from /etc/csf/csf.deny | [root@vpsb ~]# csf -dr 192.168.0.1 |
| csf -df | Remove and unblock all entries in /etc/csf/csf.deny | [root@vpsb ~]# csf -df |
| csf -g [IP] | Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number) | [root@vpsb ~]# csf -g 192.168.0.1 |
| csf -t | Displays the current list of temporary allow and deny IP entries with their TTL and comments | [root@vpsb ~]# csf -t |
CSF Cluster Commands
| CSF Cluster Commands | ||
|---|---|---|
| Command | Description | Example |
| csf -cp | PING all members in an lfd Cluster | [root@vpsb ~]# csf -cp |
| csf -cd [IP] [Comment] | Deny an IP in a Cluster and add to /etc/csf.deny | [root@vpsb ~]# csf -cd 192.168.0.1 Ban This IP |
| csf -ctd [IP] [Comment] | Add an IP in a Cluster to the temp IP ban list (default:in) | [root@vpsb ~]# csf -ctd 192.168.0.1 Temp Ban This IP |
| csf -ca [IP] [Comment] | Allow an IP in a Cluster and add to /etc/csf.allow | [root@vpsb ~]# csf -ca 192.168.0.1 Home IP |
| csf -cta [IP] | Add an IP in a Cluster to the temp IP allow list (default:in) | [root@vpsb ~]# csf -cta 192.168.0.1 |
| csf -cr [IP] | Unblock an IP in a Cluster and remove from /etc/csf.deny | [root@vpsb ~]# csf -cr 192.168.0.1 |
| csf -car [IP] | Remove allowed IP in a Cluster and remove from each remote /etc/csf/csf.allow and temporary list | [root@vpsb ~]# csf -car 192.168.0.1 |
| csf -cc [Name] [Value] | Change configuration option [name] to [value] in a Cluster | [root@vpsb ~]# csf -cc TESTING 0 |
| csf -cf [File] | Send allow file to Cluster (/etc/csf/csf.allow) | [root@vpsb ~]# csf -cf /etc/csf/csf.allow |
| csf -cf [File] | Send deny file to Cluster (/etc/csf/csf.deny) | [root@vpsb ~]# csf -cf /etc/csf/csf.deny |
| csf -crs | Cluster restart csf and lfd | [root@vpsb ~]# csf -crs |
| csf -cg [IP] [Comment] | Requests the –grep output for IP from each member in an lfd # Cluster | [root@vpsb ~]# csf -cg 192.168.0.1 Home IP |
That’s it. You have now successfully learnt the essential commands on how to control your individual and cluster ConfigServer Firewall (CSF) servers using the SSH command line.
