Share your love
Install Config Server Firewall CSF on Debian 12
This guide intends to teach you to Install and Use Config Server Firewall (CSF) on Debian 12 Bookworm. CSF is a firewall software that you can use to manage your firewall settings and configuration from a web interface or command line. You can follow the rest of the article to get a complete guide for CSF installation and configuration on Debian 12 Bookworm.
Complete Guide To Install Config Server Firewall CSF on Debian 12
Before you start your CSF configuration, you must have access to your server as a root or non-root user with sudo privileges. For this purpose, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.
Then, follow the steps below to complete this guide.
Important Note: To install the CSF firewall, you must remove UFW if you have it on your server. You can use the command below:
sudo apt remove ufw
Step 1 – Required Packages for CSF Firewall on Debian 12
First, you must install some required packages and dependencies for the CSF installation. You need to run the system update and use the command below to install them:
# sudo apt update
# sudo apt install iptables perl zip unzip libwww-perl libcrypt-ssleay-perl libnet-http-perl libio-socket-ssl-perl ca-certificates
Step 2 – Download ConfigServer Security and Firewall Package on Debian 12
The CSF packages are not available in the default Debian 12 repository. You can download the package from the official site. To do this, use the following wget command:
# cd /usr/src
# sudo wget https://download.configserver.com/csf.tgz
When your download is completed, extract it with the command below:
sudo tar -xvzf csf.tgz
Step 3 – Run CSF Installer Script on Debian 12
Now you must navigate to the CSF directory and run the installer script to install your CSF firewall on Debian 12. To do this, run the following commands:
# cd csf
# sudo sh install.sh
Output
Installation Completed
Then, you need to verify the required iptables modules for CSF are available with the command below:
sudo perl /usr/local/csf/bin/csftest.pl
In your output you will see:
Output
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
You can verify your CSF installation by checking its version:
csf -v
Output
csf: v14.20 (generic)
Step 4 – CSF Firewall Configuration on Debian 12
The CSF is running in a test mode. So you must disable it. To do this, open the CSF configuration file by using your desired text editor like vi editor or nano editor:
sudo vi /etc/csf/csf.conf
At the file, look for the Testing line and change its value to 0:
TESTING = "0"
When you are done, save and close the file.
To apply the changes, stop and reload the CSF firewall with the command below:
csf -ra
Step 5 – How To Use Config Server Firewall?
At this point, we want to show you how to manage and use the CSF firewall from the Debian 12 Command line. To do this, follow the steps below.
Start CSF Service from Terminal
You can start the CSF service on your server by:
csf -s
Enable CSF Service from Terminal
You can enable the CSF from the command line by using the command below:
csf -e
Stop CSF Service from Terminal
To stop the CSF service on Debian 12, use the command below:
csf -f
Restart CSF Service from Terminal
To restart the CSF, you can use the command below:
csf -ra
Note: Remember to restart the CSF firewall every time you make changes to the CSF configuration file.
Allow and Deny an IP address with CSF from Terminal
Also, you can allow or deny an IP address from the CLI with a CSF firewall on Debian 12.
Use the –d option to deny an IP address. For example:
csf -d 192.0.2.123
And use the -a option to allow an IP. For example:
csf -a 192.0.2.123
Remove an IP address with CSF from Terminal
To remove IP from the allow list, you can use the following command:
csf -ar 192.0.2.123
Also, to remove IP from the deny list, you can run the command below:
csf -dr 192.0.2.123
Allow Incoming and Outgoing Port with CSF from Terminal
To allow an incoming or outgoing port, you can edit the CSF configuration file on Debian 12.
sudo vi /etc/csf/csf.conf
Locate the lines below and add or remove your desired ports:
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
When you are done, save and close the file.
Restart CSF for the changes to take effect.
csf -ra
Step 6 – Most Useful CSF Firewall Commands
At this point, we provide a list for you that includes the most useful and common CSF commands you can use from the command-line interface.
CSF Commands | Usage |
csf -e | enable CSF service |
csf -x | disable CSF service |
csf -s | start CSF firewall rules |
csf -f | flush or stop CSF service |
csf -r | restart firewall rules |
csf -a [ip] [Optional comment] | Allow an IP and add to /etc/csf/csf.allow |
csf -td [ip] [Optional comment] | Place an IP on the temporary deny list in /var/lib/csf/csf.tempban |
csf -tr [ip] | Remove an IP from the temporary IP ban or allow list. |
csf -tf | Flush all IPs from the temporary IP entries |
csf -d [ip] [Optional comment] | Deny an IP and add to /etc/csf/csf.deny |
csf -dr [ip] | Unblock an IP and remove from /etc/csf/csf.deny |
csf -df | Remove and unblock all entries in /etc/csf/csf.deny |
csf -g [ip] | Search the iptables and ip6tables rules for a match |
csf -t | Displays the current list of temporary allow and deny IP entries with their TTL and comments |
Step 7 – Where is the CSF firewall located?
The CSF Firewall is installed in the /etc/csf directory. You can make the changes through the configuration file /etc/csf/csf.conf.
Step 8 – How do I check my CSF firewall?
You can check your CSF firewall status by using the command below:
sudo systemctl status csf
Output
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)
Active: active (exited) since Mon 2023-10-16 04:47:19 EDT; 33min ago
Main PID: 1876 (code=exited, status=0/SUCCESS)
CPU: 902ms
...
Conclusion
At this point, you have learned to Install the CSF firewall on Debian 12 Bookowrm and Configure it on your server. Also, you have learned to use it from the command line interface and get familiar with the most useful CSF commands.
Hope you enjoy using it. You may be interested in these articles:
Allow a Specific Port for a Particular IP in CSF
Enable and Configure CSF Firewall on CWP