This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).

CSF Firewall logo - CSF


Basic CSF configuration files:

  • csf.conf  – main configuration file for CSF
  • csf.allow  – allowed IP’s and CIDR addresses list on the firewall
  • csf.deny  – denied IP’s and CIDR addresses list on the firewall.
  • csf.ignore  -ignored IP’s and CIDR addresses list on the firewall.
  • csf.*ignore  – ignore files of users, IP’s.

All configuration files:

List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.


List of Reseller accounts that you want to allow access to limited csf functionality.


List of directories and files that you want to be alerted when they change.


List of log files for the UI System Log Watch and Search features.


List of log files for the LOGSCANNER feature.


List of regular expressions for the LOGSCANNER feature.


File contains definitions to IP BLOCK lists.


List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.


List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.


List of files that lfd directory watching will ignore.


List of files that LF_SCRIPT_ALERT will ignore.


List of usernames that are ignored during the LF_EXPLOIT.


List of user ID’s (UID) that are ignored by the User ID Tracking feature.


List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.


This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.


The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.


This file contains the usernames which should be allowed to log via syslog/rsyslog.


The following IP addresses will allow EXIM to advertise SMTP AUTH.


This file configures optional entries for the IP checking against RBLs within csf.


Show CSF version

csf -v 
csf --version 

Check for updates but do not upgrade

csf -c 
csf --check 

Check for updates and upgrade if available

csf -u 
csf --update 


csf -h 
csf --help 

Start / Stop

Enable CSF and LFD

csf -e 
csf --enable 

Disable CSF and LFD

csf -x 
csf --disable 

Restart firewall rules

csf -r 
csf --restart 

Start firewall rules

csf -s 
csf --start 

Stop (flush) firewall rules

csf -f 
csf --stop 

Permanent Allow / Deny

Check if IP is in any configuration file (deny, allow, temp block, etc.)

csf -g IP 
csf --grep IP 
grep IP /var/log/lfd.log 

Allow an IP (add it to /etc/csf/csf.allow)

csf -a IP 
csf --add IP [comment] 

Remove an IP from allow list (/etc/csf/csf.allow)

csf -ar IP 
csf --addrm IP 

Deny an IP (add it to /etc/csf/csf.deny)

csf -d IP 
csf --deny IP [comment] 

Unblock an IP (remove it from /etc/csf/csf.deny)

csf -dr 
csf --denyrm IP 

Temporary Allow / Deny

Add an IP to the temporary IP allow list

csf -ta IP ttl [-p port] [-d direction] [comment] 
csf --tempallow IP ttl [-p port] [-d direction] [comment] 

Add an IP to the temporary IP ban list

csf -td IP ttl [-p port] [-d direction] [comment] 
csf --tempdeny IP ttl [-p port] [-d direction] [comment] 

Remove an IP from the temporary IP ban list

csf -tr IP 
csf --temprm IP 

List all temporary allow and deny IP entries with their TTL and comment

csf -t 
csf --temp 

Flush all IPs from the temporary allow / ban lists

csf -tf 
csf --tempf 

List the IPtables configuration

List the IPv4 iptables configuration

csf -l 
csf --status 

List the IPv6 iptables configuration

csf -l6 
csf --status6 

Block countries

To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)to allow access from a contry:

CC_ALLOW = "" 

to block access from a contry:

CC_DENY = "" 

Supported country codes:


Disable LFD Excesive resource usage alert

Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0

[root@server #] nano /etc/csf/csf.conf
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
# Set to 0 to disable this feature
PT_USERMEM = "200"

Set email address for LFD alerts

There is an option in CSF configuration file to set the email address for alerts

[root@server #] nano /etc/csf/csf.conf
LF_ALERT_TO = email@pcx3.com"

Enable remote access for MySQL

To enable remote access from and to MySQL servers, we need to enable port 3306Enable incoming remote MySQL access for an IP

[root@server #] nano /etc/csf/csf.allow

Enable outgoing remote MySQL access

[root@server #] nano /etc/csf/csf.allow

Prevent DOS attacks

One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP addressLimit number of connections from an IP to 50

[root@server #] nano /etc/csf/csf.conf
# To disable this feature, set this to 0
CT_LIMIT = "50"

Specify the port numbers on which to limit connections

[root@server #] nano /etc/csf/csf.conf
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"

We need your help!

Do you know a command that we haven’t included in this CSF CheatSheet?

Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.

Share your knowledge