How To Install CSF Firewall on Debian 11

Install CSF Firewall on Debian 11

In this tutorial, we will show you how to install CSF Firewall on Debian 11. For those of you who didn’t know, CSF is also known as “Config Server Firewall” is a free and advanced firewall for Linux systems. We should use ConfigServer Security & Firewall (CSF) since this CSF have more advanced and comprehensive features than other firewall application such as UFW, Firewalld, or Iptables. Compared to the other Linux firewall application, CSF is more user-friendly and effective which is mostly used by web hosting providers.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of the ConfigServer Security & Firewall (CSF) on a Debian 11 (Bullseye).

Install CSF Firewall on Debian 11 Bullseye

Step 1. Before we install any software, it’s important to make sure your system is up to date by running the following apt commands in the terminal:

sudo apt update
sudo apt upgrade
sudo apt install sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl

Step 2. Installing CSF Firewall on Debian 11.

By default, the CSF packages are not available on the Debian 11 base repository. Now we download the latest version of CSF from the official page:


Next, unpack the downloaded file with the following command:

tar -xvzf csf.tgz

Move to a directory and run the script to install CSF in your Debian system:

cd csf

Once CSF is installed, you will need to verify whether all of the required firewall modules are available or not. You can verify it with the following command:

perl /usr/local/csf/bin/


Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 3. Configure CSF.

The default CSF configuration file is located in /etc/csf a directory. You can configure the required parameters for CSF with the following command below:

nano /etc/csf/csf.conf

Make the following changes as per your requirements:

 #Enable CSF TESTING = "0"# Allow incoming TCP portsTCP_IN= "20,21,22,25,53,80,110,143,443,465,587,993,995"# Allow outgoing TCP portsTCP_OUT= "20,21,22,25,53,80,110,113,443,587,993,995"# Allow incoming UDP portsUDP_IN= "20,21,53"# Allow outgoing UDP ports# To allow outgoing traceroute add 33434:33523 to this listUDP_OUT= "20,21,53,113,123"# Allow incoming PINGICMP_IN= "1"# Set the per IP address incoming ICMP packet rate# To disable rate limiting set to "0"ICMP_IN_RATE= "1/s"# Allow outgoing PINGICMP_OUT= "1"

Save and close the file, then reload the CSF firewall with the following command:

csf -r

To start the CSF and enable it to start at system reboot, run the following command:

sudo systemctl start csf
sudo systemctl enable csf

Congratulations! You have successfully installed CSF. Thanks for using this tutorial for installing the latest version of the ConfigServer Security & Firewall (CSF) on Debian 11 Bullseye. For additional help or useful information, we recommend you check the official CSF website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!