CSF - LF_IPSET not blocking IPs in csf.deny with nftables

L

lukgier

Verified User
Joined
Mar 16, 2025
Messages
28
Hi,

I've found out that from CSF 15.0 with LF_IPSET = 1 doesn't block IPs added to csf.deny on Debian 12.

After I set IPSET = 0 it started to block IPs but through iptables, not nftables.

Is there any way to make CSF work properly with nftables and block IPs in csf.deny?

Kind regards,
Luke
 
Hi Luke,

CSF’s IPSET feature currently only works with iptables, not nftables. To block IPs in csf.deny, you’ll need to keep LF_IPSET=0 and use iptables. There’s no built-in support for nftables yet, so full nftables integration would require a custom script to sync csf.deny entries.
 
if your server support nftables, just disable ipset. It's better than ipset in performance testing.
 
killian446 said:
Hi Luke,

CSF’s IPSET feature currently only works with iptables, not nftables. To block IPs in csf.deny, you’ll need to keep LF_IPSET=0 and use iptables. There’s no built-in support for nftables yet, so full nftables integration would require a custom script to sync csf.deny entries.
Click to expand...

Thanks for reply. That's what I did, but still it would be nice to use nftables as it's much more efficient.
Maybe it will be added in new CSF fork release, who knows :)
 
Ohm J said:
if your server support nftables, just disable ipset. It's better than ipset in performance testing.
Click to expand...
Thanks for reply. I disabled ipset and stayed with CSF iptables as it's quite useful and has nice GUI, but you are right, it would be better to use nftables.
 
@lukgier

you just need to install the package "iptables-nft", it's still can use with csf firewall.

Rhel9,10 have this package.

but I'm not sure why ipset not working in debian12. I don't have the box to testing this.

Good luck.
 
You must log in or register to reply here.
Back
Top