CSF Command Line Options

October 20, 2015 — Leave a comment

Knowing the csf (ConfigServer Firewall) flags will help you to quickly get things done via command line – instead of loading up the GUI every single time.

(If you don’t use CSF yet, here’s a quick guide on installing it: Install CSF/LFD)

Here are some of the flags I use all the time.

csf -r (Restart CSF)
csf -d (quick deny an ip: csf -d xxx.xxx.xxx.xxx)
csf -a (quick allow / whitelist an ip: csf -a xxx.xxx.xxx.xxx)
csf -dr (unblock an ip and remove from the deny list: csf -dr xxx.xxx.xxx.xxx)

Here are all of them:
Usage: /usr/sbin/csf [option] [value]

Option Meaning
-h, –help Show this message
-l, –status List/Show iptables configuration
-l6, –status6 List/Show ip6tables configuration
-s, –start Start firewall rules
-f, –stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, –restart Restart firewall rules
-q, –startq Quick restart (csf restarted by lfd)
-sf, –startf Force CLI restart regardless of LFDSTART setting
-a, –add ip Allow an IP and add to /etc/csf.allow
-ar, –addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, –deny ip Deny an IP and add to /etc/csf.deny
-dr, –denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, –denyf Remove and unblock all entries in /etc/csf.deny
-g, –grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, –temp Displays the current list of temp IP entries and their TTL
-tr, –temprm ip Remove an IPs from the temp IP ban and allow list
-td, –tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, –tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, –tempf Flush all IPs from the temp IP entries
-cp, –cping PING all members in an lfd Cluster
-cd, –cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, –callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, –crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, –cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, –cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, –crestart Cluster restart csf and lfd
-w, –watch ip Log SYN packets for an IP across iptables chains
-m, –mail [addr] Display Server Check in HTML or email to [addr] if present
-lr, –logrun Initiate Log Scanner report via lfd
-c, –check Check for updates to csf but do not upgrade
-u, –update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, –disable Disable csf and lfd
-e, –enable Enable csf and lfd if previously disabled
-v, –version Show csf version




No Comments

Be the first to start the conversation.

Leave a Reply