Last updated: 20 June 2021

Although CSF has a graphical interface for WHM, you might prefer to manage the firewall using the command line. This article covers the most common command line options. I am assuming that you are familiar with how CSF works. Please see my article about managing CSF via WHM if you need a refresher.

The CSF command line options are unusual in that some short options have more than one character. For instance, the utility has an -a and -r option, as well as an -ar and -ra option. To avoid ambiguous commands it is best to use always the long options.

Allowing, ignoring and denying IPs

The -a option I just mentioned is used to add an IP address to /etc/csf/csf.allow. The long option is --add. As you would expect, the option takes an IP address as its argument. CIDR notation is allowed and you can optionally add a comment.

To illustrate, here I allow the IP address The comment is just a note that explains why I allowed the IP address.

# csf --add useful analytics tool

You can use the --addrm option to remove an IP address from the csf.allow. This doesn’t block the IP. It purely means that the IP is no longer on the allow list.

The option to deny an IP is --deny. As with adding an IP, you can add a comment. For instance, to deny the IP and prevent the IP is removed from the csf.deny file you can use this command:

# csf --deny do not delete

You can unblock IPs using --denyrm. As with the --addrm option, this doesn’t allow the IP. It is only removed from csf.deny. Also, it is worth noting that the entry is not removed if it has the special “do not delete” comment.

There is no command line option to add an IP address to /etc/csf/csf.ignore. As explained in the article about managing CSF via WHM, the file should only list IPs that are known and trusted. You can of course edit the file manually.

Temporary rules

You can temporarily allow or deny an IP address using --tempallow and --tempdeny. Both options take two required and three optional arguments. You always have to enter the IP address and the time the rule should be active. So, to deny an IP address for one hour you can use this command:

# csf --tempdeny 1h

You can specify one or more ports by adding the -p option and the “direction” with the -d flag. The latter option can be one of in, out or inout. So, the direction specifies if the rule applies to incoming traffic, outgoing traffic or both. The default is in. The final optional argument is a comment.

To give an example, the following command allows the IP access to port 3306 for a day:

# csf --tempallow 1d -p 3306 database access allowed for one day

You can view all temporary rules using csf --temp:

# csf --temp
A/D    IP address     Port   Dir   Time To Live     Comment
DENY      *    in    59m 14s          Manually added:
ALLOW    3306   inout 23h 59m 42s      database access allowed for today

You can remove a temporary rule using --temprm (as in csf --temprm And, --tempf flushes all temporary rules.

Other options

There are a few other handy CSF options I use regularly. The first is --ports, which lists open ports and the services that are using them:

# csf --ports
Ports listening for external connections and the executables running behind them:
Port/Proto Open Conn  PID/User             Command Line            Executable
21/tcp     4/6  -     (1279/root)          pure-ftpd (SERVER)      /usr/sbin/pure-ftpd
22/tcp     4/6  3     (867/root)           /usr/sbin/sshd -D       /usr/sbin/sshd
25/tcp     4/6  3     (1242/mailnull)      /usr/sbin/exim ...      /usr/sbin/exim
80/tcp     4/6  2     (1190/root)          litespeed (lshttpd)     /usr/local/lsws/bin/lshttpd

And the --iplookup option can often tell you the geolocation of an IP address:

# csf --iplookup (TH/Thailand/-)

If you want to learn about CSF, the man page (man 1 csf) provides a brief overview of the available commands, while the somewhat dated /etc/csf/readme.txt file contains lots of information about how CSF works and how it can be configured. As always, we can also answer any questions you might have about the firewall.