Tutorial News Comments FAQ Related Articles

How to Allow and Block ip using CSF on Rocky Linux 9.2

To Allow and Block IP using CSF on Rocky Linux 9.2

Introduction

CSF (ConfigServer Firewall) is a firewall application suite for Linux servers that controls network traffic, blocks suspicious IP addresses, and receives real-time threat alerts.

Installation steps:

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Step 2: Check the status of the CSF and IFD services by using the below command

[root@Linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Tue 2023-07-04 02:35:22 IST; 3h 2min ago
    Process: 911 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 911 (code=exited, status=0/SUCCESS)
        CPU: 2.260s

Jul 04 02:35:21 Linuxhelp csf[911]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Jul 04 02:35:21 Linuxhelp csf[911]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Jul 04 02:35:21 Linuxhelp csf[911]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Jul 04 02:35:21 Linuxhelp csf[911]: csf: FASTSTART loading DNS (IPv4)
Jul 04 02:35:21 Linuxhelp csf[911]: csf: FASTSTART loading DNS (IPv6)
Jul 04 02:35:21 Linuxhelp csf[911]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0

Jul 04 02:35:21 Linuxhelp csf[911]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Jul 04 02:35:21 Linuxhelp csf[911]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Jul 04 02:35:22 Linuxhelp csf[911]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Jul 04 02:35:22 Linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2023-07-04 02:35:22 IST; 3h 2min ago
    Process: 1870 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 1907 (lfd - sleeping)
      Tasks: 1 (limit: 22877)
     Memory: 289.2M
        CPU: 25.731s
     CGroup: /system.slice/lfd.service
             └─1907 "lfd - sleeping"

Jul 04 02:35:22 Linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...

Step 3: Go the csf.allow file in /etc/csf and enter the IP you want to allow by using the below command

root@linuxhelp:~# vim /etc/csf/csf.alllow
#See readme.txt for more information regarding advanced port filtering#
192.168.6.129

Then save & exit from the file :wq!

Step 4: Reload the CSF by using by the below command

[root@Linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG  ipv6-icmp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG  ipv6-icmp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0  
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0  
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 5: Restart CSF and IFD by using the below command

 [root@Linuxhelp ~]# systemctl restart csf lfd

Step 6: Another way to manually allowing IP by using the below command

[root@Linuxhelp ~]# csf -a 192.168.6.131
Adding 192.168.6.131 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.131  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.131

Step 7: Reload the CSF by using the below command

root@linuxhelp:~# csf -r

Step 8: Restart the CSF and IFD by using the below command

root@linuxhelp:~# systemctl restart csf lfd

Step 9: Check the csf.allow file where the allowed ip’s are stored by using the below command

root@linuxhelp:~# vim /etc/csf/csf.allow

Step 10: Manually removing IP from csf.allow file by using the below command

[root@Linuxhelp ~]# csf -ar 192.168.6.131
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.131  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.131

Step 11: Go the csf.deny file in /etc/csf and enter the ip you want to block by using the below command

[root@Linuxhelp ~]# vi /etc/csf/csf.deny
#See readme.txt for more information regarding advanced port filtering#
192.168.6.132

Then save & exit from the file :wq!

Step 12: Reload the CSF by using the below command

root@linuxhelp:~# csf -r

Step 13: Restart CSF and IFD by using following command

root@linuxhelp:~# systemctl restart csf lfd

Step 14: Another way to block IP by using the below command

[root@Linuxhelp ~]# csf -d 192.168.6.135
Adding 192.168.6.135 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.135  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.135

**Step 15: Check the csf.deny file where the blocked ip’s are stored **

root@linuxhelp:~# vim /etc/csf/csf.deny

Step 16: Manually removing IP from csf.allow file by using the below command

[root@Linuxhelp ~]# csf -dr 192.168.6.135
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.135  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.135

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to Allow and Block IP using CSF on Rocky Linux 9.2. Your feedback is much welcome.

Tags:

Author:

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

What is the command to deny ip in CSF?

csf -d

Where did the denied location?

/etc/csf/csf.deny

What is the command to reload CSF?

csf -r

-r denoted to reload the service

Where did the allow location?

/etc/csf/csf.allow

What is the command to start CSF?

csf -s
-s deonotes to start the service

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31040

Top Contributers

muhammadali

24500

Can you help Ryan ?

how to use visual traceroute tool

Am using traceroute command to check for the route. i got this tool while surfing. So pls help me out installation and usage of Visual traceroute tool.