Diagnostic Tests ¶
ConfigServer Firewall & Security includes a few diagnostic tests which you can run and will output the current status of your CSF installation, including whether or not it is operating normally.
csftest.pl¶
The csftest.pl script is a diagnostic tool included with CSF. Its primary purpose is to check whether your server environment is compatible with CSF and LFD (Login Failure Daemon) before and after installation. When you run csftest.pl, it performs a series of tests to verify:
- That required Perl modules are installed and available
- That essential system commands and binaries (such as iptables, ip6tables, and others) can be found and executed
- That your operating system and kernel support the necessary firewall features
- That no conflicting firewall rules or services prevent CSF from running correctly
If any issues are detected, the script will report them so you can fix missing dependencies or adjust your system configuration. Running this script is a recommended step before installing CSF to your server, as it ensures that your server is properly prepared for firewall deployment.
To run these tests; ensure you have the package perl installed on your system as explained in the previous step Dependencies. After you have perl installed, run the command:
When the tests run; you should see the following:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
-
If the tests failed, proceed to the next step Troubleshooting to see if your error is listed and consult it for a possible fix.
-
If the tests succeed, proceed to the next part of the guide:
Select what documentation you would like to proceed with next ...
-
Choose this step if you wish to install CSF using the generic installer. This is good for users who are installing CSF on a bare metal machine with no existing control panels such as cPanel, DirectAdmin, etc.
-
Choose this step if you wish to install CSF on a server which already has cPanel and WHM installed. This will allow CSF to be integrated into WHM and will be listed under WHM's Plugins category.
Troubleshooting¶
If you received any errors during the process of running csftest.pl, review the list of possible errors and solutions below:
unknown option --dport: (CSF requires legacy iptables)¶
If you see this error during the CSF tests, your system is using the nftables backend for iptables. CSF requires the legacy iptables backend. Check the current setting with:
If you see link currently points to /usr/sbin/iptables-nft, you need to change this over to /usr/sbin/iptables-legacy. Two methods are listed below for doing this, pick one:
To switch over to /usr/sbin/iptables-legacy, run the command:
You will see the following:
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/sbin/iptables-nft 20 auto mode
1 /usr/sbin/iptables-legacy 10 manual mode
2 /usr/sbin/iptables-nft 20 manual mode
There may be an asterisk next to selection 0, you need to press 1 and press Enter to switch over to /usr/sbin/iptables-legacy. Then repeat these steps for IPv6
Along with ipv4 and ipv6, there are two other tables you can switch, which are arptables and ebtables.
arptables & ebtables
arptables: Works on Layer 2 (link layer), specifically for the ARP protocol.- Lets you control ARP traffic (who can send ARP requests/replies, block spoofing, etc.).
- Example: prevent ARP spoofing in a local network.
ebtables: Works on Ethernet bridge frames (Layer 2).- Lets you filter traffic based on MAC addresses, Ethernet types, or VLAN tags before IP-level filtering happens.
- Used when the system is acting as a bridge or switch.
If you need to switch the other options over to legacy, those commands are:
To switch over to /usr/sbin/iptables-legacy, run the commands listed below:
Error: Not registered; Not setting
On newer systems (Debian 11+, Ubuntu 20.04+, RHEL 8+), ebtables and arptables are often completely replaced by nftables, so there isn’t always a legacy version available. This means that
you may not have any binaries installed for these two types and could receive the following error if you attempt to change ebtables and arptables:
update-alternatives: error: alternative /usr/sbin/ebtables-legacy for ebtables not registered; not setting
update-alternatives: error: alternative /usr/sbin/arptables-legacy for arptables not registered; not setting
If you receive the error(s) above; simply skip setting ebtables and arptables. Only focus on switching iptables and ip6tables over to iptables-legacy
You’ll be presented with a numbered list of installed binaries (usually nftables and legacy). You need to type the number corresponding to the legacy version so that iptables-legacy becomes the default.
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/sbin/iptables-nft 20 auto mode
1 /usr/sbin/iptables-legacy 10 manual mode
2 /usr/sbin/iptables-nft 20 manual mode
Enter to keep the current selection[+], or type selection number: 1
You can confirm your changes by running the command:
Which should return:
You can also run:
Which should output:
You can always switch back to iptables-nft by running:
Next Steps ¶
Select what documentation you would like to proceed with next ...
-
Choose this step if you wish to install CSF using the generic installer. This is good for users who are installing CSF on a bare metal machine with no existing control panels such as cPanel, DirectAdmin, etc.
-
Choose this step if you wish to install CSF on a server which already has cPanel and WHM installed. This will allow CSF to be integrated into WHM and will be listed under WHM's Plugins category.