This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).

CSF configuration files:

  • csf.conf  – main configuration file for CSF
  • csf.allow  – allowed IP’s and CIDR addresses list on the firewall
  • csf.deny  – denied IP’s and CIDR addresses list on the firewall.
  • csf.ignore  -ignored IP’s and CIDR addresses list on the firewall.
  • csf.*ignore  – ignore files of users, IP’s.
Show CSF version
csf -v 
csf --version 
Check for updates but do not upgrade
csf -c 
csf --check 
Check for updates and upgrade if available
csf -u 
csf --update 
csf -h 
csf --help 
Enable CSF and LFD
csf -e 
csf --enable 
Disable CSF and LFD
csf -x 
csf --disable 
Restart firewall rules
csf -r 
csf --restart 
Start firewall rules
csf -s 
csf --start 
Stop (flush) firewall rules
csf -f 
csf --stop 
Check if IP is in any configuration file (deny, allow, temp block, etc.)
csf -g IP 
csf --grep IP 
grep IP /var/log/lfd.log 
Allow an IP (add it to /etc/csf/csf.allow)
csf -a IP 
csf --add IP [comment] 
Remove an IP from allow list (/etc/csf/csf.allow)
csf -ar IP 
csf --addrm IP 
Deny an IP (add it to /etc/csf/csf.deny)
csf -d IP 
csf --deny IP [comment] 
Unblock an IP (remove it from /etc/csf/csf.deny)
csf -dr 
csf --denyrm IP 
Add an IP to the temporary IP allow list
csf -ta IP ttl [-p port] [-d direction] [comment] 
csf --tempallow IP ttl [-p port] [-d direction] [comment] 
Add an IP to the temporary IP ban list
csf -td IP ttl [-p port] [-d direction] [comment] 
csf --tempdeny IP ttl [-p port] [-d direction] [comment] 
Remove an IP from the temporary IP ban list
csf -tr IP 
csf --temprm IP 
List all temporary allow and deny IP entries with their TTL and comment
csf -t 
csf --temp 
Flush all IPs from the temporary allow / ban lists
csf -tf 
csf --tempf 
List the IPv4 iptables configuration
csf -l 
csf --status 
List the IPv6 iptables configuration
csf -l6 
csf --status6 
To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)
to allow access from a contry:
CC_ALLOW = "" 
to block access from a contry:
CC_DENY = "" 
Supported country codes:
Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0
[[email protected] #] nano /etc/csf/csf.conf
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
# Set to 0 to disable this feature
PT_USERMEM = "200"
There is an option in CSF configuration file to set the email address for alerts
[[email protected] #] nano /etc/csf/csf.conf
LF_ALERT_TO = [email protected]"
To enable remote access from and to MySQL servers, we need to enable port 3306
Enable incoming remote MySQL access for an IP
[[email protected] #] nano /etc/csf/csf.allow
Enable outgoing remote MySQL access
[[email protected] #] nano /etc/csf/csf.allow
One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP address
Limit number of connections from an IP to 50
[[email protected] #] nano /etc/csf/csf.conf
# To disable this feature, set this to 0
CT_LIMIT = "50"
Specify the port numbers on which to limit connections
[[email protected] #] nano /etc/csf/csf.conf
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
We need your help!

Do you know a command that we haven't included in this CSF CheatSheet?

Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.