Last updated: 20 June 2021
Although CSF has a graphical interface for WHM, you might prefer to manage the firewall using the command line. This article covers the most common command line options. I am assuming that you are familiar with how CSF works. Please see my article about managing CSF via WHM if you need a refresher.
The CSF command line options are unusual in that some short options have more than one character. For instance, the utility has an -a
and -r
option, as well as an -ar
and -ra
option. To avoid ambiguous commands it is best to use always the long options.
The -a
option I just mentioned is used to add an IP address to /etc/csf/csf.allow. The long option is --add
. As you would expect, the option takes an IP address as its argument. CIDR notation is allowed and you can optionally add a comment.
To illustrate, here I allow the IP address 11.22.33.44. The comment is just a note that explains why I allowed the IP address.
# csf --add 11.22.33.44 useful analytics tool
You can use the --addrm
option to remove an IP address from the csf.allow. This doesn’t block the IP. It purely means that the IP is no longer on the allow list.
The option to deny an IP is --deny
. As with adding an IP, you can add a comment. For instance, to deny the IP 11.22.33.44 and prevent the IP is removed from the csf.deny file you can use this command:
# csf --deny 11.22.33.55 do not delete
You can unblock IPs using --denyrm
. As with the --addrm
option, this doesn’t allow the IP. It is only removed from csf.deny. Also, it is worth noting that the entry is not removed if it has the special “do not delete” comment.
There is no command line option to add an IP address to /etc/csf/csf.ignore. As explained in the article about managing CSF via WHM, the file should only list IPs that are known and trusted. You can of course edit the file manually.
You can temporarily allow or deny an IP address using --tempallow
and --tempdeny
. Both options take two required and three optional arguments. You always have to enter the IP address and the time the rule should be active. So, to deny an IP address for one hour you can use this command:
# csf --tempdeny 11.22.33.66 1h
You can specify one or more ports by adding the -p
option and the “direction” with the -d
flag. The latter option can be one of in, out or inout. So, the direction specifies if the rule applies to incoming traffic, outgoing traffic or both. The default is in. The final optional argument is a comment.
To give an example, the following command allows the IP 11.22.33.77 access to port 3306 for a day:
# csf --tempallow 11.22.33.77 1d -p 3306 database access allowed for one day
You can view all temporary rules using csf --temp
:
# csf --temp A/D IP address Port Dir Time To Live Comment DENY 11.22.33.66 * in 59m 14s Manually added: 11.22.33.66 ALLOW 11.22.33.77 3306 inout 23h 59m 42s database access allowed for today
You can remove a temporary rule using --temprm
(as in csf --temprm 11.22.33.77
). And, --tempf
flushes all temporary rules.
There are a few other handy CSF options I use regularly. The first is --ports
, which lists open ports and the services that are using them:
# csf --ports Ports listening for external connections and the executables running behind them: Port/Proto Open Conn PID/User Command Line Executable 21/tcp 4/6 - (1279/root) pure-ftpd (SERVER) /usr/sbin/pure-ftpd 22/tcp 4/6 3 (867/root) /usr/sbin/sshd -D /usr/sbin/sshd 25/tcp 4/6 3 (1242/mailnull) /usr/sbin/exim ... /usr/sbin/exim 80/tcp 4/6 2 (1190/root) litespeed (lshttpd) /usr/local/lsws/bin/lshttpd ...
And the --iplookup
option can often tell you the geolocation of an IP address:
# csf --iplookup 223.27.255.204 223.27.255.204 (TH/Thailand/-)
If you want to learn about CSF, the man page (man 1 csf
) provides a brief overview of the available commands, while the somewhat dated /etc/csf/readme.txt file contains lots of information about how CSF works and how it can be configured. As always, we can also answer any questions you might have about the firewall.