CSF Profiles: storing and applying firewall configs

I just found this feature of CSF, and it occurred to me that not only was it useful for changing the firewall config of your computer from one state to another (Home vs Office vs Coffeeshop for eg), but it could also be used to copy the config to a similar server: you'd just load the default config, and then apply the profile to it, saving quite a bit of editing.

So here's how it works. You can see what profiles are configured with

csf --profile list
 Configuration Profiles

 Configuration Backups
 1576828573_pre_test_ports (Fri Dec 20 15:56:13 2019)
 1576828522_pre_test_allowallout (Fri Dec 20 15:55:22 2019)
 1576828448_pre_test_ports (Fri Dec 20 15:54:08 2019)
 1576493886_standard (Mon Dec 16 18:58:06 2019)
 1573039570_pre_v13_08_upgrade (Wed Nov  6 19:26:10 2019)
 1571124409_pre_v13_07_upgrade (Tue Oct 15 15:26:49 2019)
 1569225231_pre_v13_06_upgrade (Mon Sep 23 15:53:51 2019)

Here we see the available configuration profiles (the ones not beginning with test_are shipped with csf), which reside in /usr/local/csf/profiles. There are also backups of configs, which are made automatically every time you upgrade or apply a config. (Note, you can manage these with csf –profile keep x, to delete all but the last x backups.) Incidentally backups live in /var/lib/csf/backup/

Now, there's also a diff command, which will compare a configuration against the current running config, and this will tell us what we've changed since we installed csf, if we run it against the reset_to_defaults profile!

csf --profile diff reset_to_defaults 
[BIND_LOG]	[/var/log/messages]	[/var/log/syslog]
[CC_INTERVAL]	[14]	[7]
[IMAPD_LOG]	[/var/log/maillog]	[/var/log/dovecot.log]
[IP]	[/sbin/ip]	[/bin/ip]
[IPSET]	[/usr/sbin/ipset]	[/sbin/ipset]
[IPTABLES_LOG]	[/var/log/messages]	[/var/log/syslog]
[POP3D_LOG]	[/var/log/maillog]	[/var/log/dovecot.log]
... etc. 

The first field is the config item, the second is the default value, and the third is the current value. So we can actually use this to generate a profile. I ran it through some sketchy sed and awk commands, which may or may not work for you. Otherwise do a few search and replaces in a text editor, or even hack it manually if the diff is short enough. Well this was my hacking, to get it in the right format for a profile file:

sudo csf --profile diff reset_to_defaults | sed '/\[SETTING\]/d' | awk '{ print $1 " = " $3}' | sed 's/\[//' | sed 's/\]//' | sed 's/\[/\"/' | sed 's/\]/\"/' > newprofile.conf

It's not pretty, it will probably break for you, but it did the job for me.
Check the profile, add a comment if you want with a # in front of it, and then move it to /usr/local/csf/profile, on whichever machine you want to use it on. I was using this method to copy the config from one similar webserver to another. Once its in place, just run:

csf --profile apply newprofile.conf
Creating backup...
'/etc/csf/csf.conf' -> '/var/lib/csf/backup/1576830923_pre_newprofile'
Applying profile...
[newprofile] has been applied. You should now restart csf and then lfd

Note that it creates a backup, so you can roll back to that one if you need … always supposing you didn't lock yourself out of the machine.

Leave a Comment