General Settings

Only apply iptables rules to NICs - ETH_DEVICE
Only apply iptables rules to a specific network interface. (comma separated e.g. eth1, or eth+).
Default: empty

Only apply ip6tables rules to NICs - ETH6_DEVICE
Only apply ip6tables rules to a specific network interface. (comma separated e.g. eth1, or eth+).
Default: empty

Skip iptables rules for NICs - ETH_DEVICE_SKIP
Do not apply iptables rules to these specific network interfaces (comma separated e.g eth1,eth2).
Default: empty

Use conntrack module - USE_CONNTRACK
Enable the use of the iptables "conntrack" module over deprecated "state" module.
Default: 0

Use FTP helper - USE_FTPHELPER
Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+) instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper. This will also remove the RELATED target from the global state iptables rule. This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or the raw tables do not exist. The USE_CONNTRACK option should be enabled.
Default: 0

Syslog check interval - SYSLOG_CHECK
Check whether syslog is running. Set to 0 to disable.
Default: 0 Range: 0|60-3600

Ignore IPs listed in allow - IGNORE_ALLOW
Do not block IP addresses listed in csf.allow in addition to csf.ignore. This option is not recommended as it could tell the login failure daemon to ignore attacks from infected PCs IP addresses.
Default: 0 Range: 0-1

Strict rules to DNS traffic - DNS_STRICT
Apply strict iptables rules to DNS traffic. This option could cause DNS resolution issues but could help prevent abuse of the local DNS server.
Default: 0 Range: 0-1

Strict rules to DNS traffic between server and nameservers - DNS_STRICT_NS
Apply strict iptables rules to DNS traffic between the server and the nameservers listed in /etc/resolv.conf. This option could cause DNS resolution issues but could help prevent abuse of the local DNS server.
Default: 0 Range: 0-1

Deny permanently limit - DENY_IP_LIMIT
Limit the number of IPs that are Permanently banned. A large number of IP addresses create a large number of iptables rules which can cause problems on some VPSs or where resources are limited. When the limit is reached, the entries will be rotated so that the oldest entries will be removed and the latest is added. Set to 0 to disable limiting.
Default: 2000 Range: 10-1000

Deny temporarily limit - DENY_TEMP_IP_LIMIT
Limit the number of IPs that are temporarily banned. A large number of IP addresses create a large number of iptables rules which can cause problems on some VPSs or where resources are limited. When the limit is reached the entries will be rotated so that the oldest entries will be removed and the latest is added. Set to 0 to disable limiting.
Default: 1000 Range: 10-1000

Login failure daemon - LF_DAEMON
Enable the login failure detection daemon. Set to 0 to disable and the daemon will not start.
Default: 1 Range: 0-1

Auto restart of stopped firewall - LF_CSF
Check whether the firewall is stopped and restart it, unless testing is enabled. The check is done every 300 seconds.
Default: 1 Range: 0-1

Fast start - FASTSTART
On a clean server reboot the entire csf iptables configuration is saved and then restored where possible to provide a near instant firewall startup. Also on a firewall restart or the login failture daemon reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled.
Default: 1 Range: 0-1

Ipset - LF_IPSET
Use ipset v6+ for the following options: CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. ipset will only be used with the above options when listing IPv4 IPs and CIDRs. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables. Using ipset moves ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. To use this option you must have a fully functioning installation of ipset 6+ installed either via rpm or source from http://ipset.netfilter.org/. Note: Ipset will NOT function on Virtuozzo/OpenVZ.
Default: 1

Waitlock - WAITLOCK
Versions of iptables greater or equal to v1.4.20 should support the --wait option. This forces iptables commands that use the option to wait until a lock by any other process using iptables completes, rather than simply failing. Enabling this feature will add the --wait option to iptables commands. The disadvantage of using this option is that any iptables command that uses it will hang until the lock is released. Default: 1

Waitlock timeout - WAITLOCK_TIMEOUT
To try and avoid hung processes trying to issue iptables commands csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger a failure if reached. Default: 300

Ipset hashsize - LF_IPSET_HASHSIZE
The hashsize for ipset sets, which must be a power of 2. Note: Increasing this value will consume more memory for all sets.
Default: 1024

Ipset maxelem - LF_IPSET_MAXELEM
The maxelem for ipset sets. Note: Increasing this value will consume more memory for all sets.
Default: 65536

Use LFD to restart the firewall - LFDSTART
Instead of the firewall rebuilding the iptables rules, the firewall will tell the login failure daemon to rebuild them instead. This option is recommended for servers with a large number of iptables rules. E.g. Using country code block or allow lists.
Default: 0 Range: 0-1

Verbose iptables output - VERBOSE
Enable verbose output of iptables commands. (Not recommended)
Default: 0 Range: 0-1

Packet filter for unwanted or illegal packets - PACKET_FILTER
Enable packet filtering for unwanted or illegal packets. This will drop packets that iptables has deemed INVALID. To disable this option set to 0.
Default: 1 Range: 0-1

Reverse DNS lookups of IP addresses - LF_LOOKUPS
Perform reverse DNS lookups on IP addresses.
Default: 1 Range: 0-1