In this tutorial, we will show you how to install CSF Firewall on Debian 11. For those of you who didn’t know, CSF is also known as “Config Server Firewall” is a free and advanced firewall for Linux systems. We should use ConfigServer Security & Firewall (CSF) since this CSF have more advanced and comprehensive features than other firewall application such as UFW, Firewalld, or Iptables. Compared to the other Linux firewall application, CSF is more user-friendly and effective which is mostly used by web hosting providers.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of the ConfigServer Security & Firewall (CSF) on a Debian 11 (Bullseye).
Prerequisites
- A server running one of the following operating systems: Debian 11 (Bullseye).
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install CSF Firewall on Debian 11 Bullseye
Step 1. Before we install any software, it’s important to make sure your system is up to date by running the following apt commands in the terminal:
sudo apt update sudo apt upgrade sudo apt install sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
Step 2. Installing CSF Firewall on Debian 11.
By default, the CSF packages are not available on the Debian 11 base repository. Now we download the latest version of CSF from the official page:
wget http://download.configserver.com/csf.tgz
Next, unpack the downloaded file with the following command:
tar -xvzf csf.tgz
Move to a directory and run the install.sh script to install CSF in your Debian system:
cd csf bash install.sh
Once CSF is installed, you will need to verify whether all of the required firewall modules are available or not. You can verify it with the following command:
perl /usr/local/csf/bin/csftest.pl
Output:
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Step 3. Configure CSF.
The default CSF configuration file is located in /etc/csf a directory. You can configure the required parameters for CSF with the following command below:
nano /etc/csf/csf.conf
Make the following changes as per your requirements:
#Enable CSF TESTING = "0" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123" # Allow incoming PING ICMP_IN = "1" # Set the per IP address incoming ICMP packet rate # To disable rate limiting set to "0" ICMP_IN_RATE = "1/s" # Allow outgoing PING ICMP_OUT = "1"
Save and close the file, then reload the CSF firewall with the following command:
csf -r
To start the CSF and enable it to start at system reboot, run the following command:
sudo systemctl start csf sudo systemctl enable csf
Congratulations! You have successfully installed CSF. Thanks for using this tutorial for installing the latest version of the ConfigServer Security & Firewall (CSF) on Debian 11 Bullseye. For additional help or useful information, we recommend you check the official CSF website.
