How to Allow Traffic by Country in the CSF Firewall

One of the most-requested features on cPanel servers is the ability to manage and filter traffic at a country level. With the ConfigServer Firewall (CSF) plugin in WebHost Manager, you can do exactly that.

Pre-Flight Check

• This series assumes you have the ConfigServer Firewall (CSF) installed on your cPanel server, and you have access to WebHost Manager (WHM).
• If your managed cPanel server currently uses APF but you’d prefer CSF, contact Heroic Support® and request a switch. There is no charge, it typically takes only a few minutes, and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

Blocking traffic by country code carries a significant overhead, due to the fact that the country-level CIDR ranges can be quite large and the IP address behind each incoming request must be checked against the block list.
One alternative is to instead specifically allow traffic by the country code. This approach can minimize the performance hit by country-level filtering whenever traffic from several countries needs to be blocked, or traffic from only one geographic area should be allowed.
If you have not already done so, back up the current firewall configuration (Part One: How to Back up and Restore the Firewall Configuration) before making any changes.

Step #1: Open Firewall Configuration in WHM

1. In WebHost Manager, locate and select ConfigServer Security & Firewall under the Plugins section in the left menu. You also can begin typing “fire” into the search field at the top left to narrow down the options.
2. Click on the Firewall Configuration button to open the configuration file.

Step #2: Allow Traffic by Country Code

1. On the Firewall Configuration page, scroll down to the Country Code Lists and Settings section.
2. CC_ALLOW_FILTER accepts two-letter country codes, such as “US” for the United States of America, “GB” for Great Britain, and “DE” for Germany.

• Multiple countries can be comma separated with no spaces in between, such as “US,GB,DE” to deny access to the US, Great Britain, and Germany.
• You can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

Note that CSF has two separate “Allow” sections:

• CC_ALLOW actually opens the firewall to all traffic on all ports from the listed countries, bypassing any port and protocol rules in place. It should not be used.
• CC_ALLOW_FILTER allows only traffic from the specified country or countries, but respects the port and packet rules elsewhere in the firewall configuration. This is the preferred method for allowing traffic by country code.

Step #3: Save Your Changes and Restart the Firewall

1. Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2. On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.

Next Steps

See Part Four: How to Block or Allow Specific Ports by Country in the CSF Firewall