PanelAlpha Documentation
Back Home
Live Demo Get Started

Firewall (CSF)

Documentation

    # Firewall (CSF)

    • Overview
    • CSF Status
    • CSF Web UI
      • Accessing CSF Web UI
      • Common CSF Features
    • Firewall Rules
      • Allow Rules
      • Deny Rules
      • CSF Rule Prefix Reference
      • Example Rules
    • Managing Rules
      • Adding New Rules
      • Editing Rules
      • Deleting Rules
    • Configuration Warnings
    • Common Ports to Configure

    The Firewall (CSF) tab provides direct access to ConfigServer Security & Firewall (CSF), a powerful security tool for managing firewall rules on your PanelAlpha Engine server.

    # Overview

    CSF (ConfigServer Security & Firewall) is a stateful packet inspection (SPI) firewall that provides:

    • Inbound and outbound traffic filtering
    • Port management and access control
    • IP-based allow and deny lists
    • Intrusion detection
    • Automated security responses

    For upstream details, see the official ConfigServer Security & Firewall (opens new window) site.

    # CSF Status

    At the top of the Firewall page, you will see the current status:

    • Status — shows if CSF is Enabled or Disabled
    • Version — current CSF version (for example, csf v14.24 (generic))
    • Control Buttons:
      • Disable — temporarily disable the firewall
      • Restart — restart CSF to apply configuration changes

    Warning: Disabling the firewall exposes all services to public traffic. Re-enable as soon as possible.

    # CSF Web UI

    PanelAlpha integrates the native CSF Web UI directly into the interface:

    # Accessing CSF Web UI

    The embedded interface displays:

    • ConfigServer Security & Firewall header with version
    • Firewall Status — real-time status indicator (for example, "Enabled and Running")
    • Configuration Warnings — important notices about firewall configuration

    You can enlarge or shrink the iframe so the native UI fits your workspace. Controls automatically show a loading state when CSF is restarting.

    # Common CSF Features

    Through the CSF Web UI, you can:

    1. Manage Firewall Rules — configure port access and protocols
    2. Control IP Access — add IPs to allow or deny lists
    3. View Logs — monitor firewall activity and blocked attempts
    4. Configure Settings — adjust security parameters
    5. Test Configuration — validate firewall rules before applying

    # Firewall Rules

    # Allow Rules

    Allow rules permit specific traffic to reach your server:

    • Target — IP address or range to allow (for example, 91.192.166.30, 172.18.0.1/16)
    • Comment — description of the rule (for example, "csf SSH installation/upgrade IP address")
    • Protocol — traffic protocol (UDP, TCP, etc.)
    • Direction — inbound or outbound (arrows indicate: ← Incoming, → Outgoing)
    • Port — specific port or port range (for example, D = 3)
    • Actions — edit or delete the rule

    The table header includes a search box and sortable columns. Each row has its own checkbox so you can select multiple rules before deleting or editing. Target values that use advanced prefixes (for example, s=, d=, u=) are rendered as colored chips for quick scanning.

    # Deny Rules

    Deny rules block specific traffic from reaching your server:

    • Target — IP address or range to block
    • Comment — reason for blocking
    • Protocol — traffic protocol to block
    • Direction — inbound or outbound
    • Port — port number to block (for example, D = 22)
    • Actions — edit or delete the rule

    Filters remain applied when you switch between the allow and deny tables, so you can continue working on the same IP without retyping it.

    # CSF Rule Prefix Reference

    Rule lines in csf.allow/csf.deny use the standard ConfigServer CSF format:

    protocol|direction|<s=|d=>port|<s=|d=|u=>target

    The s= and d= prefixes are positional:

    • In the port field: s= = source port, d= = destination port
    • In the target field: s= = source address, d= = destination address

    The u= prefix (user/UID) is only valid in the target field.

    For the full CSF rule syntax, see the official ConfigServer CSF documentation (opens new window).

    # Example Rules

    Allow SSH from specific IP:

    • Target: 91.192.166.30
    • Comment: "csf SSH installation/upgrade IP address"
    • Direction: Any
    • Port: Default

    Allow UDP traffic:

    • Target: $ = 4324
    • Comment: "Sample UDP rule"
    • Protocol: UDP
    • Direction: → Outgoing
    • Port: D = 3

    Block incoming traffic:

    • Target: 192.168.1.10
    • Comment: "Blocked suspicious IP"
    • Direction: ← Incoming
    • Port: D = 22

    # Managing Rules

    # Adding New Rules

    1. Click "+ New Allow Rule" or "+ New Deny Rule" (green button).
    2. Enter the target IP or IP range.
    3. Add a descriptive comment.
    4. Select protocol and direction.
    5. Specify port (if applicable).
    6. Click Save or Apply.

    # Editing Rules

    1. Click the edit icon (pencil) in the Actions column.
    2. Update the rule parameters.
    3. Save changes.
    4. Restart CSF to apply changes.

    # Deleting Rules

    1. Click the delete icon (trash) in the Actions column.
    2. Confirm the deletion.
    3. Restart CSF if prompted.

    # Configuration Warnings

    Pay attention to warnings displayed in the CSF Web UI.

    Example Warning:

    WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration

    These warnings indicate potential security concerns or misconfigurations that should be addressed.

    # Common Ports to Configure

    When setting up your firewall, consider these common ports:

    • 22 — SSH access
    • 80 — HTTP (web traffic)
    • 443 — HTTPS (secure web traffic)
    • 21 — FTP
    • 30000–30009 — FTP passive mode range (for PanelAlpha Engine)
    • 2222 — SFTP (for PanelAlpha Engine)
    • 2011 — PanelAlpha Engine communication port
    • 25, 465, 587 — SMTP (email)
    • 110, 995 — POP3 (email)
    • 143, 993 — IMAP (email)