Block IP - Is a CSF Reload Needed?

[nigelpeck]

I am looking at how to block IP addresses with CSF, and find that the following command suits my needs:

Code: Select all

sudo csf -d 10.0.0.1 do not delete

The response that I get back from CSF seems to indicate that this has been added to iptables:

Code: Select all

Adding 10.0.0.1 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  10.0.0.1  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 10.0.0.1 

...which sounds like "csf -r" is not needed. Although this question on SO says otherwise. Is that correct? I don't need to reload csf after blocking an IP in this way?

Thanks.

[ForumAdmin]

No, you do not need to restart csf after using the CLI commands to deny/allow IPs.

[nigelpeck]

No, you do not need to restart csf after using the CLI commands to deny/allow IPs.

Thanks, that's good to know.

[DanoGeorge]

ForumAdmin wrote:
No, you do not need to restart csf after using the CLI commands to deny/allow IPs. essaytyper

Hello,

Will IP still be blocked by lfd, when I allow IP? How can I make lfd ignore IP addresses in the csf.allow file? Thanks.

[MaXi32]

I can confirm to you that using csf -dr, you also need to restart csf epecially if the blocking rule is in CIDR form. For example try to remove 1.1.1.0/24 from the list,

csf -dr 1.1.1.0/24

now if you don't restart you try to add the same network CIDR:

csf -d 1.1.1.0/24

and csf will complain that CIDR is already in deny list but it doesn't.

I cannot reproduce this yet but this happen randomly. So restarting should be safe.