The csf command line options for the ConfigServer & Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt for more detailed information on how to use and configure this application.
csf --help| Option | Description |
|---|---|
--help |
Show help |
--status |
List/Show the IPv4 iptables configuration |
--status6 |
List/Show the IPv6 ip6tables configuration |
--start |
Start the firewall rules |
--stop |
Flush/Stop firewall rules (Note: lfd may restart csf) |
--restart |
Restart firewall rules (csf) |
--startq |
Quick restart (csf restarted by lfd) |
--startf |
Force CLI restart regardless of LFDSTART setting |
--restartall |
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files |
--lfd [stop|start|restart|status] |
Actions to take with the lfd daemon |
--add ip [comment] |
Allow an IP and add to /etc/csf/csf.allow |
--addrm ip |
Remove an IP from /etc/csf/csf.allow and delete rule |
--deny ip [comment] |
Deny an IP and add to /etc/csf/csf.deny |
--denyrm ip |
Unblock an IP and remove from /etc/csf/csf.deny |
--denyf |
Remove and unblock all entries in /etc/csf/csf.deny |
--grep ip |
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number) |
--iplookup ip |
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf |
--temp |
Displays the current list of temporary allow and deny IP entries with their TTL and comment |
--temprm ip |
Remove an IP from the temporary IP ban or allow list |
--temprmd ip |
Remove an IP from the temporary IP ban list only |
--temprma ip |
Remove an IP from the temporary IP allow list only |
--tempdeny ip ttl [-p port] [-d direction] [comment] |
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in) |
--tempallow ip ttl [-p port] [-d direction] [comment] |
Add an IP to the temp IP allow list (default:inout) |
--tempf |
Flush all IPs from the temporary IP entries |
--cgrep ip |
Requests the --grep output for IP from each member in an lfd Cluster |
--cdeny ip [comment] |
Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny |
--ctempdeny ip ttl [-p port] [-d direction] [comment] |
Add an IP in a Cluster to the temp IP ban list (default:in) |
--carm ip |
Unblock an IP in a Cluster and remove from each remote /etc/csf/csf.deny and temporary list |
--callow ip [comment] |
Allow an IP in a Cluster and add to each remote /etc/csf/csf.allow |
--ctempallow ip ttl [-p port] [-d direction] [comment] |
Add an IP in a Cluster to the temp IP allow list (default:in) |
--carm ip |
Remove allowed IP in a Cluster and remove from each remote /etc/csf/csf.allow and temporary list |
--cignore ip [comment] |
Ignore an IP in a Cluster and add to each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted |
--cirm ip |
Remove ignored IP in a Cluster and remove from each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted |
--cconfig [name] [value] |
Change configuration option [name] to [value] in a Cluster |
--cfile [file] |
Send [file] in a Cluster to /etc/csf/ |
--crestart |
Cluster restart csf and lfd |
--trace [add|remove] ip |
Log SYN packets for an IP across iptables chains. Note, this can create a LOT of logging information in /var/log/messages so should only be used for a short period of time. This option requires the iptables TRACE module and access to the raw PREROUTING chain to function |
--mail [email] |
Display Server Check in HTML or email to [email] if present |
--rbl [email] |
Process and display RBL Check in HTML or email to [email] if present |
--logrun |
Initiate Log Scanner report via lfd |
--ports |
View ports on the server that have a running process behind them listening for external connections |
--graphs [graph type] [directory] |
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements |
--profile [command] [profile|backup] [profile|backup] |
Configuration profile functions for /etc/csf/csf.conf. You can create your own profiles using the examples provided in /usr/local/csf/profiles/. The profile reset_to_defaults.conf is a special case and will always be the latest default csf.conf |
--mregen |
MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd |
--cloudflare [command] |
Commands for interacting with the CloudFlare firewall. See /etc/csf/readme.txt and CF_ENABLE for more detailed information |
--check |
Check for updates to csf but do not upgrade |
--update |
Check for updates to csf and upgrade if available |
--disable |
Disable csf and lfd completely |
--enable |
Enable csf and lfd if previously disabled |
--version |
Show csf version |