How to Install CSF Firewall on Debian 11

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"

Hello, dear friends. In this post, you will learn how to install CSF Firewall on Debian 11. This firewall which is more advanced than UFW will help us to improve the security of our system.

Introducing to CSF

A Firewall helps us to block incoming and outgoing connections to an operating system. This is so that we can filter third-party access to our system. In addition to this, we can filter which applications can make use of the network.

Usually, an operating system incorporates a firewall but they need more sophisticated tools to increase the security of the system.

We have talked about CSF because we have explained how to install it on CentOS 8.

On the CSF web site, we find the following definition

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection, and Security application for Linux servers.

It has advanced features that allow us to further secure the system and that are easy to define thanks to its readable configuration file.

So, let’s go for it.

Install CSF Firewall on Debian 11

I will assume in this post that the system is a server. So, connect via SSH and make sure the system is up to date.

sudo apt update
sudo apt upgrade

After that, install with this command all the dependencies we need to install CSF.

Now run this command to install all CSF dependencies

sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl

Once you have these packages downloaded and installed then you can continue with the installation.

Now you have to make sure that there is no other firewall running on the system. So, disable UFW as follows

sudo ufw disable

Now you can install CFS. To do this, download it using the wget command.

1.- Download CSF firewall
1.- Download CSF firewall

Now unzip the file

sudo tar -xvzf csf.tgz

This will generate a folder called csf that we have to access. And inside it, run the file.

cd csf
sudo sh
2.- CSF installed
2.- CSF installed

After finishing the installation process, you will have to start the service that has been created.

sudo systemctl start csf

Also, it is a good idea to run perl to check that CSF has been successfully installed.

sudo perl /usr/local/csf/bin/

The following output shows that CSF has been successfully installed on the system.

3.- Testing CSF firewall
3.- Testing CSF firewall

Now, enable CSF to start with the system.

sudo systemctl enable csf

Now we can configure it to make it ready.

Configuring CSF Firewall on Debian before using it

With CSF installed on the system, we then have to configure it so that we can use it.

So, the main CSF configuration file is /etc/csf/csf.conf.

This file must be backed up before editing it.

sudo cp /etc/csf/csf.conf /etc/csf/csf.conf.bak

And now yes, open it using for example the nano editor

sudo nano /etc/csf/csf.conf

The most basic thing we can do with a firewall is to open and close access ports. This can be done in the TCP_IN and TCP_OUT sections where we can specify the ports that will have access to the outside and incoming connections. Also, it works for the UDP protocol-

4.- Configuring CSF
4.- Configuring CSF

If a port does not appear there, then it is not enabled.

In the case of using IPv6 then you have to define the ports in the TCP6_IN and TCP6_OUT sections.

5.- IPv6 ports
5.- IPv6 ports

If something defines CSF it is versatility and security since we can also define the number of connections to the ports quickly. To do this, go to the CONNLLIMIT value, and to use it, better to give an example

CONNLIMIT= "22;4;443;5"
6.-ConnLimit directive on CSF
6.-ConnLimit directive on CSF

In this case, we are defining that only 4 IP addresses can simultaneously use port 22 and only 5 IP addresses can use port 443.

But there are many more configurations that you can do and to know them, you can consult the official CSF documentation.

When you are ready, you can save the changes and close the editor.

More configuration files

In the /etc/csf/csf.deny file you can specify IP ranges and addresses that will be blocked by the Firewall.

sudo nano /etc/csf/csf.deny

For example, if you want to deny access to an IP you only have to add it

Or to an entire network

Save the changes and close the editor.

Also, there is the /etc/csf/csf.allow file that gives the opposite effect. These are addresses and IP ranges that are enabled for access.

Or the /etc/csf/csf.ignore file which will cause the specified IP addresses not to be filtered.

Once you have configured everything, you have to run the following command to apply the changes.

sudo csf -r
7.- Using CSF
7.- Using CSF

So, enjoy it.


In this tutorial, you learned how to install and configure CSF on Debian 11. This way you will be able to secure your server much better.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"
I am Angelo. A systems engineer passionate about Linux and all open-source software. Although here I'm just another member of the family.


Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook