How to Install CSF Firewall on Debian 11

Install CSF Firewall on Debian 11

In this article, we will have explained the necessary steps to install CSF Firewall on Debian 11. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.

ConfigServer Security & Firewall (CSF) is a free and advanced firewall management tool based on iptables. In addition to the basic functionality of a firewall, filtering packets, CSF includes other security features, such as login/intrusion/flood detections. One of the very nice features of CSF is that it provides a built-in web UI for managing the firewall from a web browser. This UI integration is supported by cPanel, DirectAdmin, as well as working independently on your server.

Install CSF Firewall on Debian 11

Step 1. The first command will update the package lists to ensure you get the latest version and dependencies.

sudo apt update
sudo apt upgrade
sudo apt install libio-socket-inet6-perl libsocket6-perl
sudo apt install sendmail dnsutils unzip libio-socket-ssl-perl
sudo apt install libcrypt-ssleay-perl git perl iptables libnet-libidn-perl

Step 2. Install CSF Firewall on Debian 11 Bullseye system.

Download the latest version of Config Server Firewall (or CSF) from their official site:


Once downloaded file, extracted before it can be used:

sudo tar -xvzf csf.tgz

Next, install CSF Firewall using the following command:

cd csf

The installation of the firewall is complete, but it is best to check if the iptables modules are available which are required for proper functioning on CSF. You can do that with the command:

perl /usr/local/csf/bin/

After that, enable CSF firewall to start on boot, run the following command:

sudo systemctl start csf
sudo systemctl enable csf

Step 3. Configuration CSF.

CSF can be configured by editing its configuration filecsf.conf in /etc/csf:

sudo nano /etc/csf/csf.conf

Modify the following lines:

#For testing environment the value should be TESTING = "1" and for production environment, the value should be TESTING = "0".
#To enable log 
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "20,21,53,113,123"

Now that you have configured all the settings in the csf.conf file, it is time to update the ruleset to apply the changes.

sudo csf -r


Install CSF Firewall on Debian 11

That’s all you need to do to install the CSF Firewall on Debian (Bullseye). I hope you find this quick tip helpful. For further reading CSF Firewall on Debian’s system, please refer to their official knowledge base. If you have questions or suggestions, feel free to leave a comment below.