For many years, ConfigServer Firewall (CSF) was the go-to solution for Linux server security. It provided simple firewall management and IPS/IDS features that became staples in server hardening guides across the industry.
In the early days, cPGuard also relied on CSF as its firewall backend, later enhancing it with IPDB and Fail2ban integrations to provide brute-force protection. CSF’s flexibility made it a favourite among administrators.
But times have changed. CSF is now officially retired and unsupported on new servers. Manual firewall management is no longer practical in modern hosting environments, and administrators need something faster, smarter, and future-ready.
With the release of cPGuard v5.61, we’re proud to announce a fully rewritten, standalone firewall module — a drop-in replacement for CSF with far greater performance, efficiency, and usability.
Key Features
🔹 NFT at the Core
We moved away from the legacy iptables and ipset. The firewall is now built entirely on nftables, delivering better performance, a cleaner ruleset, and full compatibility with modern Linux distributions.
🔹 Easy Port Management
Effortlessly configure open TCP/UDP ports (incoming and outgoing) directly from the cPGuard dashboard or CLI.
🔹 Blocklist & Allowlist Controls
Quickly add or remove IP addresses — permanently or temporarily — with a single click.
🔹 Enhanced Protections
- SYN flood defense
- DoS mitigation
- Country-based allow/deny rules
- AI-powered bot blocking
- And more, all built-in
Migration from CSF
Worried about losing your CSF configuration? Don’t be.
We provide a migration tool that automatically imports your existing CSF settings into the new firewall, including:
- Port configurations (TCP_IN, TCP_OUT, UDP_IN, UDP_OUT)
- Whitelisted IPs (csf.allow, csf.ignore)
- Blacklisted IPs (csf.deny)
- Country rules (CC_ALLOW, CC_DENY)
Run the import in one step:
/opt/cpguard/app/scripts/csf_migration.php
Future Roadmap
We’re not stopping here. Upcoming releases will introduce:
- Port flood protection
- Extended IDS/IPS features
- More CSF-like enhancements — based on your feedback
If you relied on a specific CSF feature and would like to see it in cPGuard, let us know. Your input will help shape the evolution of the firewall.
Final Thoughts
The end of CSF may feel like the close of a chapter, but with the cPGuard Firewall, administrators gain a modern, NFT-driven, fully integrated security solution.
It doesn’t just replace CSF — it surpasses it, offering performance, simplicity, and scalability designed for today’s hosting environments.
We remain committed to continuously improving cPGuard’s firewall and security modules to keep your servers safe — now and into the future.
