CSF CLI (Command Line Interface) Cheat Sheet

Useful CSF SSH Command Line Commands in a “cheat sheet” format.

Command	Description	Example
csf -s	Start the firewall rules	root@server[~]#csf -s
csf -f	Flush/Stop firewall rules (note: lfd may restart csf)	root@server[~]#csf -f
csf -r	Restart the firewall rules	root@server[~]#csf -r
csf -a [IP.add.re.ss] [comment]	Allow an IP(allow access to all ports) and add to /etc/csf/csf.allow	root@server[~]#csf -a 187.33.3.3 Home IP Address
csf -tr [IP.add.re.ss]	Remove an IP from the temporary IP ban or allow list.	root@server[~]#csf -tr 66.192.23.1
csf -tf	Flush all IPs from the temporary IP entries	root@server[~]#csf -tf
csf -d [IP.add.re.ss] [comment]	Deny an IP and add to /etc/csf/csf.deny	root@server[~]#csf -d 66.192.23.1 Blocked This Guy
csf -dr [IP.add.re.ss]	Unblock an IP and remove from /etc/csf/csf.deny	root@server[~]#csf -dr 66.192.23.1
csf -df	Remove and unblock all entries in /etc/csf/csf.deny	root@server[~]#csf -df
csf -g [IP.add.re.ss]	Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)	root@server[~]#csf -g 66.192.23.1
csf -t	Displays the current list of temporary allow and deny IP entries with their TTL and comment	root@server[~]#csf -t

Enable CSF Firewall: # csf -e

Disable CSF Firewall: # csf -x

Restart CSF/LFD Firewall (iptables rules and LFD service): #csf -ra

Restart LFD only: # service lfd restart

Check blocked IP reason (replace IP with the IP address): # csf -g IP grep “IP” /var/log/lfd.log

Block IP (temporarily for 24 hours, define in seconds): #csf -td IP 86400

Whitelist IP (allow access to all ports): #csf -a IP

Whitelist IP range /24 (allow access to all ports): #csf -a 192.168.0.0/24

Whitelist (temporarily) IP range /24 for 24 hours (allow access to all ports, define in seconds): #csf -ta 192.168.0.0/24 86400

Remove all temporary IP blocks: #csf -tf

and many more…