Firewall

ConfigServer Firewall (CSF)

ConfigServer Firewall is a SPI iptables firewall that is straight-forward, easy and flexible to configure and secure with extra checks to ensure smooth operation.

CSF principles

The idea with CSF is to block everything and then allow through only those connections that you want. This is done in iptables by DROPPING all connections in and out of the server on all protocols. Then allow traffic in and out from existing connections. Then open ports up in and outgoing for both TCP and UDP individually. This way we can control exactly what traffic is allowed in and out of the server and helps protect the server from malicious attack.

Directory structure

File Description
/etc/csf/ configuration files
/var/lib/csf/ temporary data files
/usr/local/csf/bin/ scripts
/usr/local/csf/lib/ perl modules and static data
/usr/local/csf/tpl/ email alert templates

Configuration Files

File Description
/etc/csf/csf.conf The main configuration file.
/etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall.
/etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall.
/etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected.
/etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore.

CSF Command Line Options

You can view the CSF command line options by issuing the following command:

csf -h
Option Description
-h, --help Show the help message
-l, --status List/Show the IPv4 iptables configuration
-l6, --status6 List/Show the IPv6 ip6tables configuration
-s, --start Start the firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules (csf)
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LFDSTART setting
-ra, --restartall Restart firewall rules (csf) and then restart lfd daemon
--lfd [stop,start,restart,status] Actions to take with the lfd daemon
-a, --add ip [comment] Allow an IP and add to /etc/csf/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf/csf.allow and delete rule
-d, --deny ip [comment] Deny an IP and add to /etc/csf/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf/csf.deny
-g, --grep ip Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
-i, --iplookup ip Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
-t, --temp Displays the current list of temporary allow and deny IP entries with their TTL and comment
-tr, --temprm ip Remove an IP from the temporary IP ban or allow list
-td, --tempdeny ip ttl [-p port] [-d direction] [comment] Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d)
-ta, --tempallow ip ttl [-p port] [-d direction] [comment] Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temporary IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf/csf.allow
-car, --carm ip Remove allowed IP in a Cluster and remove from /etc/csf/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf/csf.deny
-cc, --cconfig [name] [value] Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-w, --watch ip Log SYN packets for an IP across iptables chains
-m, --mail [email] Display Server Check in HTML or email to [email] if present
--rbl [email] Process and display RBL Check in HTML or email to [email] if present
-lr, --logrun Initiate Log Scanner report via lfd
-p, --ports View ports on the server that have a running process behind them listening for external connections
--graphs [graph type] [directory] Generate System Statistics html pages and images for a given graph type into a given directory
--profile [command] [profile,backup] [profile,backup] Configuration profile functions for /etc/csf/csf.conf
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf whether and upgrade is required or not
-x, --disable Disable csf and lfd completely
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version

Related Pages