Home · Configuration Guide

• Workflow-oriented CLI usage patterns for daily CSF operations.
• Covers service lifecycle, allow/deny, temporary controls, port management, and diagnostics.
• Emphasizes safe procedures, lockout prevention, and operational context.

csf -h          # full command help
man csf         # manual page

CSF has two independent components: the firewall rule engine (csf) and the log-scanning daemon (lfd). Most operations require restarting both.

⚠️ Lockout warning. csf -f flushes all firewall rules immediately. On a remote server with no console/IPMI access, this can lock you out. Always ensure you have out-of-band access before using flush on a live server.

When to use -r vs -ra: Use csf -ra after any change to csf.conf or LFD-related settings — it restarts both CSF and LFD so all changes take effect. Use csf -r only when you know the change affects firewall rules alone (e.g., editing csf.allow/csf.deny without config changes).

Advanced restart variants:

• csf -q — tells LFD to schedule a CSF restart shortly (useful from scripts to avoid overlapping restarts).
• csf -sf — forces a CLI restart regardless of the LFDSTART setting.

The core IP management cycle: allow trusted IPs, deny bad actors, search for entries.

Adding entries:

csf -a 203.0.113.10 Trusted admin endpoint
csf -d 198.51.100.25 Abuse source

Always include a descriptive comment — comments are timestamped automatically and help future operators understand why the entry exists.

Removing entries:

csf -ar 203.0.113.10    # remove from allow list
csf -dr 198.51.100.25   # remove from deny list
csf -df                  # clear ALL deny entries (use with caution)

Searching: Use csf -g to search across all rules, lists, and iptables chains:

csf -g 203.0.113.10     # find an IP in any list or chain
csf -g 22               # find rules affecting port 22

Pro-Tip: csf -g (grep) is your most powerful diagnostic tool. It searches csf.allow, csf.deny, csf.ignore, temporary lists, and the live iptables/ipset state simultaneously.

⚠️ Lockout warning. csf -f flushes all firewall rules immediately. csf -r / csf -ra reloads them. On a remote server with no console/IPMI access, any error in config or a missing allow-entry can lock you out during these operations. Always verify your own IP is in csf.allow before reloading.

Tip: For file-level editing (direct edits to csf.allow / csf.deny), comment syntax differs from CLI syntax. See csf Command Line Options → Comment and rotation behavior for details.

Temporary blocks are the safest approach during active incidents — they expire automatically, preventing accidental permanent blocks from forgotten entries.

Workflow:

1. Apply a temporary deny during investigation:

   csf -td 198.51.100.25 1h -d in Brute-force burst

2. Monitor behavior in /var/log/lfd.log.
3. If the threat persists, promote to permanent: csf -d 198.51.100.25 Confirmed abuse.
4. If resolved, the temp entry expires on its own — or remove early: csf -tr 198.51.100.25.

Temporary allow (for emergency maintenance windows):

csf -ta 203.0.113.10 30m -d inout Emergency maintenance

Management commands:

Best practice: Observe temporary blocks before promoting to permanent. Quick promotion without investigation can mask the real issue or block legitimate traffic.

When adding services that need new ports, use the CLI helpers to modify csf.conf port lists safely:

csf --addport TCP_IN:2215      # add port to TCP_IN
csf --removeport TCP_IN:2215   # remove port from TCP_IN
csf --listports                # show current port config
csf -p                         # list all listening ports

After port changes, always restart: csf -ra.

Before first use or after kernel/network changes:

perl /etc/csf/csftest.pl    # validate netfilter modules and capabilities

Inspecting active rules:

csf -l                       # list IPv4 iptables rules
csf -l6                      # list IPv6 ip6tables rules

Log monitoring:

tail -f /var/log/lfd.log     # live LFD activity stream
tail -n 100 /var/log/lfd.log # recent 100 entries

This is the standard procedure for any CSF configuration change:

1. Validate capabilities — run csftest.pl before major policy edits or after kernel changes.
2. Apply changes — edit config files or use CLI commands.
3. Reload — run csf -ra to restart both CSF and LFD.
4. Verify — check /var/log/lfd.log for errors or unexpected behavior.
5. Confirm access — verify your own admin access still works (especially after allow/deny changes).

• Cloudflare controls: CloudFlare
• Cluster operations: LFD Clustering
• Temporary block lifecycle/reporting: Block Reporting
• IPv6 rollout and validation: IPv6 Deployment & Hardening
• External hook scripts: External Pre- and Post- Scripts
• Full command syntax reference: Cheatsheet: Commands
• Config file and Include reference: csf Command Line Options

Last reviewed: 2026-02-27

← Configuration Guide · Performance & Scale Tuning →