csf/csf.help

csf(1)							     General Commands Manual							  csf(1)

NAME
       csf - ConfigServer & Security Firewall

SYNOPSIS
       csf [OPTIONS]

DESCRIPTION
       This   manual   documents   the	csf  command  line  options  for  the  ConfigServer  &	Security  Firewall.  See  /etc/csf/csf.conf  and
       /etc/csf/readme.txt for more detailed information on how to use and configure this application.

OPTIONS
       -h,  --help
	      Show this message

       -l,  --status
	      List/Show the IPv4 iptables configuration

       -l6, --status6
	      List/Show the IPv6 ip6tables configuration

       -s,  --start
	      Start the firewall rules

       -f,  --stop
	      Flush/Stop firewall rules (Note: lfd may restart csf)

       -r,  --restart
	      Restart firewall rules (csf)

       -q,  --startq
	      Quick restart (csf restarted by lfd)

       -sf, --startf
	      Force CLI restart regardless of LFDSTART setting

       -ra, --restartall
	      Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making	any  changes  to
	      the configuration files

       --lfd [stop|start|restart|status]
	      Actions to take with the lfd daemon

       -a,  --add ip [comment]
	      Allow an IP and add to /etc/csf/csf.allow

       -ar, --addrm ip
	      Remove an IP from /etc/csf/csf.allow and delete rule

       -d,  --deny ip [comment]
	      Deny an IP and add to /etc/csf/csf.deny

       -dr, --denyrm ip
	      Unblock an IP and remove from /etc/csf/csf.deny

       -df, --denyf
	      Remove and unblock all entries in /etc/csf/csf.deny

       -g,  --grep ip
	      Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)

       -i,  --iplookup ip
	      Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf

       -t,  --temp
	      Displays the current list of temporary allow and deny IP entries with their TTL and comment

       -tr, --temprm ip
	      Remove an IP from the temporary IP ban or allow list

       -trd, --temprmd ip
	      Remove an IP from the temporary IP ban list only

       -tra, --temprma ip
	      Remove an IP from the temporary IP allow list only

       -td, --tempdeny ip ttl [-p port] [-d direction] [comment]
	      Add  an  IP  to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port.
	      Optional direction of block can be one of: in, out or inout (default:in)

       -ta, --tempallow ip ttl [-p port] [-d direction] [comment]
	      Add an IP to the temp IP allow list (default:inout)

       -tf, --tempf
	      Flush all IPs from the temporary IP entries

       -cp, --cping
	      PING all members in an lfd Cluster

       -cg, --cgrep ip
	      Requests the --grep output for IP from each member in an lfd Cluster

       -cd, --cdeny ip [comment]
	      Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny

       -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]
	      Add an IP in a Cluster to the temp IP ban list (default:in)

       -cr, --crm ip
	      Unblock an IP in a Cluster and remove from each remote /etc/csf/csf.deny and temporary list

       -ca, --callow ip [comment]
	      Allow an IP in a Cluster and add to each remote /etc/csf/csf.allow

       -cta, --ctempallow ip ttl [-p port] [-d direction] [comment]
	      Add an IP in a Cluster to the temp IP allow list (default:in)

       -car, --carm ip
	      Remove allowed IP in a Cluster and remove from each remote /etc/csf/csf.allow and temporary list

       -ci, --cignore ip [comment]
	      Ignore an IP in a Cluster and add to each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted

       -cir, --cirm ip
	      Remove ignored IP in a Cluster and remove from each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted

       -cc, --cconfig [name] [value]
	      Change configuration option [name] to [value] in a Cluster

       -cf, --cfile [file]
	      Send [file] in a Cluster to /etc/csf/

       -crs, --crestart
	      Cluster restart csf and lfd

       --trace [add|remove] ip
	      Log SYN packets for an IP across iptables chains. Note, this can create a LOT  of	 logging  information  in  /var/log/messages  so
	      should  only  be	used for a short period of time. This option requires the iptables TRACE module and access to the raw PREROUTING
	      chain to function

       -m,  --mail [email]
	      Display Server Check in HTML or email to [email] if present

       --rbl [email]
	      Process and display RBL Check in HTML or email to [email] if present

       -lr, --logrun
	      Initiate Log Scanner report via lfd

       -p, --ports
	      View ports on the server that have a running process behind them listening for external connections

       --graphs [graph type] [directory]
	      Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements

       --profile [command] [profile|backup] [profile|backup]
	      Configuration profile functions for /etc/csf/csf.conf
	      You can create your own profiles using the examples provided in /usr/local/csf/profiles/
	      The profile reset_to_defaults.conf is a special case and will always be the latest default csf.conf

	      list
	      Lists available profiles and backups

	      apply [profile]
	      Modify csf.conf with Configuration Profile

	      backup "name"
	      Create Configuration Backup with optional "name" stored in /var/lib/csf/backup/

	      restore [backup]
	      Restore a Configuration Backup

	      keep [num]
	      Remove old Configuration Backups and keep the latest [num]

	      diff [profile|backup] [profile|backup]
	      Report differences between Configuration Profiles or Configuration Backups, only specify one [profile|backup] to	compare	 to  the
	      current Configuration

       --mregen
	      MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd

       --cloudflare [command]
	      Commands for interacting with the CloudFlare firewall. See /etc/csf/readme.txt and CF_ENABLE for more detailed information

	      Note:  target  can  be  one of: An IP address; 2 letter Country Code; IP range CIDR. Only Enterprise customers can block a Country
	      Code, but all can allow and challenge. IP range CIDR is limited to /16 and /24

	      list [all|block|challenge|whitelist] [user1,user2,domain1...]
	      List specified type of CloudFlare Firewall rules for comma separated list of users/domains

	      add [block|challenge|whitelist] target [user1,user2,domain1...]
	      Add CloudFlare Firewall rule action for target for comma separated list of users/domains only

	      del target [user1,user2,domain1...]
	      Delete CloudFlare Firewall rule for target for comma separated list of users/domains only

	      tempadd [allow|deny] ip [user1,user2,domain1...]
	      Add a temporary block for CF_TEMP seconds to both csf and the CloudFlare	Firewall  rule	for  ip	 for  comma  separated	list  of
	      users/domains as well as any user set to "any"

       -c,  --check
	      Check for updates to csf but do not upgrade

       -u,  --update
	      Check for updates to csf and upgrade if available

       -uf    Force an update of csf whether and upgrade is required or not

       -x,  --disable
	      Disable csf and lfd completely

       -e,  --enable
	      Enable csf and lfd if previously disabled

       -v,  --version
	      Show csf version

FILES
       /etc/csf/csf.conf
	      The system wide configuration file
       /etc/csf/readme.txt
	      Detailed information about csf and lfd

BUGS
       Report bugs on the forums at http://forum.configserver.com

AUTHOR
       (c)2006-2023, Jonathan Michaelson (http://www.configserver.com)

																	  csf(1)
GPL v3 Release 2025-08-28 15:15:56 +01:00			`csf(1) General Commands Manual csf(1)`

			`NAME`
			`csf - ConfigServer & Security Firewall`

			`SYNOPSIS`
			`csf [OPTIONS]`

			`DESCRIPTION`
			`This manual documents the csf command line options for the ConfigServer & Security Firewall. See /etc/csf/csf.conf and`
			`/etc/csf/readme.txt for more detailed information on how to use and configure this application.`

			`OPTIONS`
			`-h, --help`
			`Show this message`

			`-l, --status`
			`List/Show the IPv4 iptables configuration`

			`-l6, --status6`
			`List/Show the IPv6 ip6tables configuration`

			`-s, --start`
			`Start the firewall rules`

			`-f, --stop`
			`Flush/Stop firewall rules (Note: lfd may restart csf)`

			`-r, --restart`
			`Restart firewall rules (csf)`

			`-q, --startq`
			`Quick restart (csf restarted by lfd)`

			`-sf, --startf`
			`Force CLI restart regardless of LFDSTART setting`

			`-ra, --restartall`
			`Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to`
			`the configuration files`

			`--lfd [stop\|start\|restart\|status]`
			`Actions to take with the lfd daemon`

			`-a, --add ip [comment]`
			`Allow an IP and add to /etc/csf/csf.allow`

			`-ar, --addrm ip`
			`Remove an IP from /etc/csf/csf.allow and delete rule`

			`-d, --deny ip [comment]`
			`Deny an IP and add to /etc/csf/csf.deny`

			`-dr, --denyrm ip`
			`Unblock an IP and remove from /etc/csf/csf.deny`

			`-df, --denyf`
			`Remove and unblock all entries in /etc/csf/csf.deny`

			`-g, --grep ip`
			`Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)`

			`-i, --iplookup ip`
			`Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf`

			`-t, --temp`
			`Displays the current list of temporary allow and deny IP entries with their TTL and comment`

			`-tr, --temprm ip`
			`Remove an IP from the temporary IP ban or allow list`

			`-trd, --temprmd ip`
			`Remove an IP from the temporary IP ban list only`

			`-tra, --temprma ip`
			`Remove an IP from the temporary IP allow list only`

			`-td, --tempdeny ip ttl [-p port] [-d direction] [comment]`
			`Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port.`
			`Optional direction of block can be one of: in, out or inout (default:in)`

			`-ta, --tempallow ip ttl [-p port] [-d direction] [comment]`
			`Add an IP to the temp IP allow list (default:inout)`

			`-tf, --tempf`
			`Flush all IPs from the temporary IP entries`

			`-cp, --cping`
			`PING all members in an lfd Cluster`

			`-cg, --cgrep ip`
			`Requests the --grep output for IP from each member in an lfd Cluster`

			`-cd, --cdeny ip [comment]`
			`Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny`

			`-ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]`
			`Add an IP in a Cluster to the temp IP ban list (default:in)`

			`-cr, --crm ip`
			`Unblock an IP in a Cluster and remove from each remote /etc/csf/csf.deny and temporary list`

			`-ca, --callow ip [comment]`
			`Allow an IP in a Cluster and add to each remote /etc/csf/csf.allow`

			`-cta, --ctempallow ip ttl [-p port] [-d direction] [comment]`
			`Add an IP in a Cluster to the temp IP allow list (default:in)`

			`-car, --carm ip`
			`Remove allowed IP in a Cluster and remove from each remote /etc/csf/csf.allow and temporary list`

			`-ci, --cignore ip [comment]`
			`Ignore an IP in a Cluster and add to each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted`

			`-cir, --cirm ip`
			`Remove ignored IP in a Cluster and remove from each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted`

			`-cc, --cconfig [name] [value]`
			`Change configuration option [name] to [value] in a Cluster`

			`-cf, --cfile [file]`
			`Send [file] in a Cluster to /etc/csf/`

			`-crs, --crestart`
			`Cluster restart csf and lfd`

			`--trace [add\|remove] ip`
			`Log SYN packets for an IP across iptables chains. Note, this can create a LOT of logging information in /var/log/messages so`
			`should only be used for a short period of time. This option requires the iptables TRACE module and access to the raw PREROUTING`
			`chain to function`

			`-m, --mail [email]`
			`Display Server Check in HTML or email to [email] if present`

			`--rbl [email]`
			`Process and display RBL Check in HTML or email to [email] if present`

			`-lr, --logrun`
			`Initiate Log Scanner report via lfd`

			`-p, --ports`
			`View ports on the server that have a running process behind them listening for external connections`

			`--graphs [graph type] [directory]`
			`Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements`

			`--profile [command] [profile\|backup] [profile\|backup]`
			`Configuration profile functions for /etc/csf/csf.conf`
			`You can create your own profiles using the examples provided in /usr/local/csf/profiles/`
			`The profile reset_to_defaults.conf is a special case and will always be the latest default csf.conf`

			`list`
			`Lists available profiles and backups`

			`apply [profile]`
			`Modify csf.conf with Configuration Profile`

			`backup "name"`
			`Create Configuration Backup with optional "name" stored in /var/lib/csf/backup/`

			`restore [backup]`
			`Restore a Configuration Backup`

			`keep [num]`
			`Remove old Configuration Backups and keep the latest [num]`

			`diff [profile\|backup] [profile\|backup]`
			`Report differences between Configuration Profiles or Configuration Backups, only specify one [profile\|backup] to compare to the`
			`current Configuration`

			`--mregen`
			`MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd`

			`--cloudflare [command]`
			`Commands for interacting with the CloudFlare firewall. See /etc/csf/readme.txt and CF_ENABLE for more detailed information`

			`Note: target can be one of: An IP address; 2 letter Country Code; IP range CIDR. Only Enterprise customers can block a Country`
			`Code, but all can allow and challenge. IP range CIDR is limited to /16 and /24`

			`list [all\|block\|challenge\|whitelist] [user1,user2,domain1...]`
			`List specified type of CloudFlare Firewall rules for comma separated list of users/domains`

			`add [block\|challenge\|whitelist] target [user1,user2,domain1...]`
			`Add CloudFlare Firewall rule action for target for comma separated list of users/domains only`

			`del target [user1,user2,domain1...]`
			`Delete CloudFlare Firewall rule for target for comma separated list of users/domains only`

			`tempadd [allow\|deny] ip [user1,user2,domain1...]`
			`Add a temporary block for CF_TEMP seconds to both csf and the CloudFlare Firewall rule for ip for comma separated list of`
			`users/domains as well as any user set to "any"`

			`-c, --check`
			`Check for updates to csf but do not upgrade`

			`-u, --update`
			`Check for updates to csf and upgrade if available`

			`-uf Force an update of csf whether and upgrade is required or not`

			`-x, --disable`
			`Disable csf and lfd completely`

			`-e, --enable`
			`Enable csf and lfd if previously disabled`

			`-v, --version`
			`Show csf version`

			`FILES`
			`/etc/csf/csf.conf`
			`The system wide configuration file`
			`/etc/csf/readme.txt`
			`Detailed information about csf and lfd`

			`BUGS`
			`Report bugs on the forums at http://forum.configserver.com`

			`AUTHOR`
			`(c)2006-2023, Jonathan Michaelson (http://www.configserver.com)`

			`csf(1)`