ConfigServer Firewall is a SPI iptables firewall that is straight-forward, easy and flexible to configure and secure with extra checks to ensure smooth operation.
The idea with CSF is to block everything and then allow through only those connections that you want. This is done in iptables by DROPPING all connections in and out of the server on all protocols. Then allow traffic in and out from existing connections. Then open ports up in and outgoing for both TCP and UDP individually. This way we can control exactly what traffic is allowed in and out of the server and helps protect the server from malicious attack.
| File | Description |
|---|---|
/etc/csf/ |
configuration files |
/var/lib/csf/ |
temporary data files |
/usr/local/csf/bin/ |
scripts |
/usr/local/csf/lib/ |
perl modules and static data |
/usr/local/csf/tpl/ |
email alert templates |
| File | Description |
|---|---|
/etc/csf/csf.conf |
The main configuration file. |
/etc/csf/csf.allow |
A list of IP's and CIDR addresses that should always be allowed through the firewall. |
/etc/csf/csf.deny |
A list of IP's and CIDR addresses that should never be allowed through the firewall. |
/etc/csf/csf.ignore |
A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. |
/etc/csf/csf.*ignore |
Various ignore files that list files, users, IP's that the login failure daemon should ignore. |
You can view the CSF command line options by issuing the following command:
csf -h| Option | Description |
|---|---|
| -h, --help | Show the help message |
| -l, --status | List/Show the IPv4 iptables configuration |
| -l6, --status6 | List/Show the IPv6 ip6tables configuration |
| -s, --start | Start the firewall rules |
| -f, --stop | Flush/Stop firewall rules (Note: lfd may restart csf) |
| -r, --restart | Restart firewall rules (csf) |
| -q, --startq | Quick restart (csf restarted by lfd) |
| -sf, --startf | Force CLI restart regardless of LFDSTART setting |
| -ra, --restartall | Restart firewall rules (csf) and then restart lfd daemon |
| --lfd [stop,start,restart,status] | Actions to take with the lfd daemon |
| -a, --add ip [comment] | Allow an IP and add to /etc/csf/csf.allow |
| -ar, --addrm ip | Remove an IP from /etc/csf/csf.allow and delete rule |
| -d, --deny ip [comment] | Deny an IP and add to /etc/csf/csf.deny |
| -dr, --denyrm ip | Unblock an IP and remove from /etc/csf/csf.deny |
| -df, --denyf | Remove and unblock all entries in /etc/csf/csf.deny |
| -g, --grep ip | Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number) |
| -i, --iplookup ip | Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf |
| -t, --temp | Displays the current list of temporary allow and deny IP entries with their TTL and comment |
| -tr, --temprm ip | Remove an IP from the temporary IP ban or allow list |
| -td, --tempdeny ip ttl [-p port] [-d direction] [comment] | Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d) |
| -ta, --tempallow ip ttl [-p port] [-d direction] [comment] | Add an IP to the temp IP allow list (default:inout) |
| -tf, --tempf | Flush all IPs from the temporary IP entries |
| -cp, --cping | PING all members in an lfd Cluster |
| -cd, --cdeny ip | Deny an IP in a Cluster and add to /etc/csf/csf.deny |
| -ca, --callow ip | Allow an IP in a Cluster and add to /etc/csf/csf.allow |
| -car, --carm ip | Remove allowed IP in a Cluster and remove from /etc/csf/csf.allow |
| -cr, --crm ip | Unblock an IP in a Cluster and remove from /etc/csf/csf.deny |
| -cc, --cconfig [name] [value] | Change configuration option [name] to [value] in a Cluster |
| -cf, --cfile [file] | Send [file] in a Cluster to /etc/csf/ |
| -crs, --crestart | Cluster restart csf and lfd |
| -w, --watch ip | Log SYN packets for an IP across iptables chains |
| -m, --mail [email] | Display Server Check in HTML or email to [email] if present |
| --rbl [email] | Process and display RBL Check in HTML or email to [email] if present |
| -lr, --logrun | Initiate Log Scanner report via lfd |
| -p, --ports | View ports on the server that have a running process behind them listening for external connections |
| --graphs [graph type] [directory] | Generate System Statistics html pages and images for a given graph type into a given directory |
| --profile [command] [profile,backup] [profile,backup] | Configuration profile functions for /etc/csf/csf.conf |
| -c, --check | Check for updates to csf but do not upgrade |
| -u, --update | Check for updates to csf and upgrade if available |
| -uf | Force an update of csf whether and upgrade is required or not |
| -x, --disable | Disable csf and lfd completely |
| -e, --enable | Enable csf and lfd if previously disabled |
| -v, --version | Show csf version |