Page 1 of 1
Block IP - Is a CSF Reload Needed?
Posted: 16 May 2017, 22:56
by nigelpeck
I am looking at how to block IP addresses with CSF, and find that the following command suits my needs:
Code: Select all
sudo csf -d 10.0.0.1 do not delete
The response that I get back from CSF seems to indicate that this has been added to iptables:
Code: Select all
Adding 10.0.0.1 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 10.0.0.1 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 10.0.0.1
...which sounds like "csf -r" is not needed. Although
this question on SO says otherwise. Is that correct? I don't need to reload csf after blocking an IP in this way?
Thanks.
Re: Block IP - Is a CSF Reload Needed?
Posted: 17 May 2017, 08:49
by ForumAdmin
No, you do not need to restart csf after using the CLI commands to deny/allow IPs.
Re: Block IP - Is a CSF Reload Needed?
Posted: 17 May 2017, 22:05
by nigelpeck
ForumAdmin wrote: ↑17 May 2017, 08:49
No, you do not need to restart csf after using the CLI commands to deny/allow IPs.
Thanks, that's good to know.
Re: Block IP - Is a CSF Reload Needed?
Posted: 02 Jul 2019, 07:35
by DanoGeorge
ForumAdmin wrote:
No, you do not need to restart csf after using the CLI commands to deny/allow IPs.
essaytyper
Hello,
Will IP still be blocked by lfd, when I allow IP? How can I make lfd ignore IP addresses in the csf.allow file? Thanks.
Re: Block IP - Is a CSF Reload Needed?
Posted: 02 Dec 2020, 01:00
by MaXi32
I can confirm to you that using csf -dr, you also need to restart csf epecially if the blocking rule is in CIDR form. For example try to remove 1.1.1.0/24 from the list,
csf -dr 1.1.1.0/24
now if you don't restart you try to add the same network CIDR:
csf -d 1.1.1.0/24
and csf will complain that CIDR is already in deny list but it doesn't.
I cannot reproduce this yet but this happen randomly. So restarting should be safe.