How to Install CSF Firewall on Debian 11

ConfigServer Firewall (CSF) is a Firewall for Linux servers and BSD systems to control the inbound and outbound traffic. Before we go into specific details about CSF, let's understand what a firewall is and how it works.

A firewall acts as a shield that protects the system from an outside attack. A few of them are stateful firewalls, circuit-level gateways, UDP/ICMP-filtering firewalls, or application-layer filters.

The firewall comes with a set of rules to filter the incoming and outgoing traffic. And depending on what kind of Firewall you are using, it decides whether an IP is allowed to access the network or not. The list of rules is defined for a particular system, and the firewall filters traffic as per the rules.

ConfigServer Firewall (CSF) is one of the most widely used open-source firewalls in Linux servers. CSF comes with a list of features that can be used to configure the rules. Hence it is very powerful and easy to use at the same time.


In order to install and configure CSF on Debian 11, you must have:

  • A server running Debian 11 and your system should be connected to the internet.
  • Root access to the server.

Updating your System

Before installing ConfigServer Firewall, you should update your system. Run the command below to update your system.

sudo apt update

Once the update is complete, run the following commands to install the required dependencies.

sudo apt install libio-socket-inet6-perl libsocket6-perl -y
sudo apt install sendmail dnsutils unzip libio-socket-ssl-perl -y
sudo apt install libcrypt-ssleay-perl git perl iptables libnet-libidn-perl -y

In case you have a previous version of CSF installed in your system, run the following command to uninstall it first. As Debian 11 uses a new version of Perl, the CSF installation can cause conflicts with the existing CSF installation.

cd /etc/csf &&  sh 

If you're using another firewall configuration script like UFW, you should turn them off before continuing.

sudo ufw disable

Installing CSF Firewall on Debian 11

Now that you have installed all the necessary prerequisites, let's download and install the CSF firewall.

The Debian 11 repository does not contain CSF packages. Hence, you need to download the latest version of ConfigServer firewall from their official site.

To do that, issue the following command.


Now ru the command below to extract the downloaded file.

sudo tar -xvzf csf.tgz

Once you have extracted the file, install CSF using the following command.

cd csf && sh

Once the installation is complete, the firewall should be now installed. To start CSF firewall, run the following command.

sudo systemctl start csf

Run the command below to make sure everything is fine.

perl /usr/local/csf/bin/

You will get an output as shown below. This output confirms that CSF is up and running.

Installing CSF Firewall on Debian 11

To enable CSF firewall to start on boot, run the following command.

sudo systemctl enable csf

You can check the status of CSF using the command below.

sudo systemctl status csf

This output confirms that CSF is up and running. Now let's configure this firewall.

Sample output: 

Installing CSF Firewall on Debian 11

Configuring CSF Firewall on Debian 11

Once you have installed the CSF firewall, the default rules are active which comes with a configuration file /etc/csf/csf.conf

You should review this configuration file to make sure that it is configured as per your needs. In this file, you can see all the default rules which are active from your system's perspective. Let's take a closer look at some of them.

sudo nano /etc/csf/csf.conf

The fewer the number of open ports, the more secure the system is. But you should always have some common ports open. You can see all the ports which are open by default, in csf.conf file as shown below.

Configuring CSF Firewall on Debian 11

As you can see in the configuration file, if you want to allow/block any port, you should add/remove the port number in the list respectively.

For example, if you want to block port 80, then it should be removed from the list, as shown below.

Configuring CSF Firewall on Debian 11

If you are using IPv6, you should also update it in the configuration file as most of the attacks nowadays are done over IPv6 protocol. You should configure TCP6_IN, TCP6_OUT similarly to what we have configured for IPv4 ports above.

Sample output: 

Configuring CSF Firewall on Debian 11

Now let's configure the CONNLIMIT settings. CONNLIMIT is a security feature in CSF that allows you to limit the number of concurrent a remote connection can have on a specific port. This helps in mitigating the risk of DoS/DDoS attacks.

For example, if you want to limit any IP with no more than 3 concurrent connections, then you should update it as shown below. This setting would allow only 3 concurrent connections on port 22 and 3 concurrent connections on port 443.

Configuring CSF Firewall on Debian 11

Next, let's configure the PORTFLOOD settings. This option allows us to configure the maximum number of connection requests allowed on a port within a certain time frame.

For example, if you want to block any IP if more than 3 connections are established on port 443 using TCP protocol within 60 seconds, you should update it as shown below. The block will automatically be removed once the 60-second time frame is over since the last connection.

Configuring CSF Firewall on Debian 11

The most basic feature of any firewall is to block and allow IP addresses. You can add the IP address you want to block by manually adding them in csf.deny file or you can add an entire range of IPs in the csf.deny file.

For example, you can block all the IP range.


You can block a single IP of by adding it in the csf.deny file as shown below.

Open the csf.deny file with the following command.

sudo nano /etc/csf/csf.deny

Add the following lines to the bottom of the file. One line at a time.

Sample output: 

Configuring CSF Firewall on Debian 11

Once you are done, save and close the file by hitting CTRL+X, Y, and Enter.

One's opposite to the csf.deny file, the csf.allow file is used to exclude an IP or range of IPs from all the filters. Note that even if you already added an IP to the csf.deny file, the blocked IP address is still allowed to access your server by adding it in the csf.allow file.

sudo nano /etc/csf/csf.allow

CSF offers a wide variety of options to set up your own firewall, which is beyond the scope of this tutorial. You can consult the ConfigServer documentation about the settings and how they work.

Once you finish updating all the required settings, save and close the csf.conf file by hitting CTRL+X, Y, and Enter.

CSF also offers a feature of ignoring an IP address from any filter. Unlike allowing an IP address in the csf.allow file, you can not ignore an IP address if it was listed in the csf.deny file.

sudo nano /etc/csf/csf.ignore

Now that you have configured all the settings in the csf.conf file, it is time to update the ruleset to apply the changes.

To do that, run the following command.

sudo csf -r

Once the execution of the above command is complete, you will be able to see a message as shown in the following screenshot. If no error messages are displayed, congratulations! Your server's firewall configuration is now updated and ready for use.

Configuring CSF Firewall on Debian 11 5


In this tutorial, you have learned how to install ConfigServer Security & Firewall (CSF) on a Debian 11 server. You have also learned how to create firewall rules, adding IPs to both allowed and blocked lists using CSF configuration files.

If you encounter any issue, you can always refer the ConfigServer Firewall documentation for more information.

Share this page:

Suggested articles

2 Comment(s)

Add comment


By: Mike C

why use an iptables based framework? Shouldn't we upgrade to nftables?

By: Marco

Hi, why install a a software based on iptables on Debian 11?