I just found this feature of CSF, and it occurred to me that not only was it useful for changing the firewall config of your computer from one state to another (Home vs Office vs Coffeeshop for eg), but it could also be used to copy the config to a similar server: you'd just load the default config, and then apply the profile to it, saving quite a bit of editing.
So here's how it works. You can see what profiles are configured with
csf --profile list
Configuration Profiles
block_all_perm
block_all_temp
disable_alerts
test_allowallout
test_ports
protection_high
protection_low
protection_medium
reset_to_defaults
Configuration Backups
1576828573_pre_test_ports (Fri Dec 20 15:56:13 2019)
1576828522_pre_test_allowallout (Fri Dec 20 15:55:22 2019)
1576828448_pre_test_ports (Fri Dec 20 15:54:08 2019)
1576493886_standard (Mon Dec 16 18:58:06 2019)
1573039570_pre_v13_08_upgrade (Wed Nov 6 19:26:10 2019)
1571124409_pre_v13_07_upgrade (Tue Oct 15 15:26:49 2019)
1569225231_pre_v13_06_upgrade (Mon Sep 23 15:53:51 2019)Here we see the available configuration profiles (the ones not beginning with test_are shipped with csf), which reside in /usr/local/csf/profiles. There are also backups of configs, which are made automatically every time you upgrade or apply a config. (Note, you can manage these with csf –profile keep x, to delete all but the last x backups.) Incidentally backups live in /var/lib/csf/backup/
Now, there's also a diff command, which will compare a configuration against the current running config, and this will tell us what we've changed since we installed csf, if we run it against the reset_to_defaults profile!
csf --profile diff reset_to_defaults
[BIND_LOG] [/var/log/messages] [/var/log/syslog]
[CC_INTERVAL] [14] [7]
[IMAPD_LOG] [/var/log/maillog] [/var/log/dovecot.log]
[IP] [/sbin/ip] [/bin/ip]
[IPSET] [/usr/sbin/ipset] [/sbin/ipset]
[IPTABLES_LOG] [/var/log/messages] [/var/log/syslog]
[LF_DISTATTACK] [0] [1]
[POP3D_LOG] [/var/log/maillog] [/var/log/dovecot.log]
... etc. The first field is the config item, the second is the default value, and the third is the current value. So we can actually use this to generate a profile. I ran it through some sketchy sed and awk commands, which may or may not work for you. Otherwise do a few search and replaces in a text editor, or even hack it manually if the diff is short enough. Well this was my hacking, to get it in the right format for a profile file:
sudo csf --profile diff reset_to_defaults | sed '/\[SETTING\]/d' | awk '{ print $1 " = " $3}' | sed 's/\[//' | sed 's/\]//' | sed 's/\[/\"/' | sed 's/\]/\"/' > newprofile.conf
It's not pretty, it will probably break for you, but it did the job for me.
Check the profile, add a comment if you want with a # in front of it, and then move it to /usr/local/csf/profile, on whichever machine you want to use it on. I was using this method to copy the config from one similar webserver to another. Once its in place, just run:
csf --profile apply newprofile.conf
Creating backup...
'/etc/csf/csf.conf' -> '/var/lib/csf/backup/1576830923_pre_newprofile'
Applying profile...
[newprofile] has been applied. You should now restart csf and then lfdNote that it creates a backup, so you can roll back to that one if you need … always supposing you didn't lock yourself out of the machine.