A firewall is your server’s bouncer. It controls which IPs/ports are allowed in; the rest stay out. This server uses CSF (ConfigServer Security & Firewall) with LFD (Login Failure Daemon) — CSF enforces rules; LFD tails logs and auto-blocks abuse (e.g., brute-force logins).

1) What CSF + LFD give you

• Default-deny posture: Only the ports you explicitly open (e.g., 80/443/your SSH port) are reachable.
• Automatic protection: LFD detects suspicious activity and instructs CSF to block offenders.
• Smart lists: Allow (always permit), Deny (always block), Temporary Deny (time-limited), Ignore (exempt from LFD auto-blocks).
• Actionable alerts: Email notifications you can tune (sender, recipients, content).

2) Before you start (quick safety)

1. Whitelist yourself: Add your office/VPN IP to Allowed IPs or Ignored IPs so you don’t lock yourself out.
2. Confirm open ports: Enable only the services you use (Web 80/443, your SSH port, mail ports if needed).
3. Set alert recipients: Point firewall emails to a monitored inbox.

3) Everyday tasks (step-by-step)

1. Allow a trusted IP/CIDR
   • Go to Allowed IPs ▶ add IP/CIDR ▶ add a brief comment ▶ Save.
2. Temporarily block a noisy host
   • Go to Temporary Deny ▶ enter IP ▶ set duration (e.g., 3600 seconds) ▶ comment ▶ Block IP.
3. Permanently block a repeat offender
   • Go to Permanent Deny ▶ add IP/CIDR ▶ comment ▶ Block IP.
4. Prevent auto-blocks for a trusted source
   • Go to Ignored IPs ▶ add IP/CIDR ▶ comment ▶ Ignore IP (CSF still enforces open-port policy; LFD won’t auto-block).
5. Adjust core rules
   • Open Configuration ▶ review ports/limits ▶ Save & Apply to safely restart CSF/LFD.

4) The four lists at a glance

• Allowed IPs (csf.allow) — always permitted (subject to open ports).
• Permanent Deny (csf.deny) — always blocked.
• Temporary Deny — timed blocks managed by CSF/LFD; they expire automatically.
• Ignored IPs (csf.ignore) — LFD will not auto-block; CSF rules still apply.

5) Email alerts & templates

• Set the From and To addresses you monitor.
• Templates (e.g., alert.txt, sshalert.txt) can be edited to add context for your team.

6) Good habits (recommended)

• Least privilege: Keep only required ports open; review regularly.
• Temp before perm: Start with temporary blocks; make them permanent only if abuse continues.
• Leave comments: Note why you added a rule for quick audits later.
• Use Ignore sparingly: Reserve for trusted systems that may look “noisy” to LFD (monitoring, scanners, etc.).
• Pair with app security: Firewalls help, but you still need strong passwords, 2FA, and timely updates.

7) Fast fixes for common situations

• Accidental lock-out: Ask a whitelisted colleague to add your IP to Allowed, or use your out-of-band console.
• Port scan bursts: Add temporary denies; if persistent, convert to permanent deny.
• Legit user blocked: Move their IP to Ignored (or better, Allowed) and verify required ports are open.

8) Advanced (when you need it)

• Raw files: Edit csf.conf, csf.allow, csf.deny, csf.ignore, and custom regex safely (the UI creates a backup and restarts CSF/LFD for you).
• Rollback: If a change misfires, restore the created .bak, then Save & Apply.