How to Enable Ports, Whitelist, and Blacklist IPs in CSF Firewall (ConfigServer Security & Firewall)
ConfigServer Security & Firewall (CSF) is a powerful firewall used on Linux servers, especially in cPanel/WHM environments. This guide explains how to open ports, whitelist trusted IPs, and block malicious IP addresses.
Part 1: How to Enable Ports in CSF Firewall
Step 1: Connect to Your Server via SSH
Login to your server as root:
ssh root@your-server-ip
Step 2: Open the CSF Configuration File
Edit the CSF configuration file:
nano /etc/csf/csf.conf
Step 3: Allow Incoming Ports (TCP_IN)
Find the line:
TCP_IN =
Example default:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2083,2087"
To allow a new port (example: 3000):
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2083,2087,3000"
Step 4: Allow Outgoing Ports (TCP_OUT)
Find:
TCP_OUT =
Example:
TCP_OUT = "20,21,22,25,53,80,110,113,443"
Add your port:
TCP_OUT = "20,21,22,25,53,80,110,113,443,3000"
Step 5: Allow UDP Ports (if required)
Edit:
UDP_IN =
UDP_OUT =
Example:
UDP_IN = "53"
UDP_OUT = "53"
Step 6: Restart CSF to Apply Changes
csf -r
Part 2: How to Whitelist an IP Address
Whitelisting allows a trusted IP to bypass firewall restrictions and prevents it from being blocked.
Method 1: Using Command Line (Recommended)
Whitelist an IP:
csf -a 192.168.1.10
Example output:
Adding 192.168.1.10 to csf.allow and iptables ACCEPT...
Method 2: Whitelist IP for Specific Port
Example: allow IP access to port 22 (SSH)
csf -a 192.168.1.10 tcp:22
Method 3: Manually Edit csf.allow File
Open whitelist file:
nano /etc/csf/csf.allow
Add IP:
192.168.1.10
Save and restart CSF:
csf -r
Part 3: How to Blacklist (Block) an IP Address
Blacklisting blocks an IP from accessing your server.
Method 1: Using Command Line (Recommended)
Block IP:
csf -d 192.168.1.10
This immediately blocks the IP.
Method 2: Manually Edit csf.deny File
Open blacklist file:
nano /etc/csf/csf.deny
Add IP:
192.168.1.10
Restart firewall:
csf -r
Part 4: Remove IP from Whitelist or Blacklist
Remove from whitelist:
csf -ar 192.168.1.10
Remove from blacklist:
csf -dr 192.168.1.10
Restart CSF:
csf -r
Part 5: Verify IP Status
Check if IP is allowed or blocked:
csf -g 192.168.1.10
This will show whether the IP is in allow or deny list.
Part 6: Common CSF Files Reference
| File | Purpose |
|---|---|
| /etc/csf/csf.conf | Main firewall configuration |
| /etc/csf/csf.allow | Whitelisted IP addresses |
| /etc/csf/csf.deny | Blocked IP addresses |
| /etc/csf/csf.ignore | Ignored by login failure daemon |
Part 7: Common Ports Reference
| Service | Port |
|---|---|
| SSH | 22 |
| HTTP | 80 |
| HTTPS | 443 |
| FTP | 21 |
| cPanel | 2083 |
| WHM | 2087 |
| MySQL | 3306 |
| Node.js | 3000 |
| Redis | 6379 |
Security Best Practices
- Only open ports required by your applications
- Always whitelist your own IP to prevent lockout
- Block suspicious or malicious IPs immediately
- Regularly monitor firewall logs
- Restart CSF after any configuration change
Restart CSF Firewall
csf -r
By following this guide, you can safely manage ports, allow trusted users, and block malicious traffic using the CSF firewall.