In this article, I will take you through Step by Step Guide to enable CSF Firewall GUI on Ubuntu 20.04 LTS. ConfigServer Security and Firewall(CSF) is a free and a Stateful packet Inspection firewall suitable for use in most of the Linux distributions. It comes with lot of in-built features and provides you an excellent protection from the external vulnerabilities. One of the many features that it has is an easy to use GUI Interface which you can use to setup firewall configuration. But this requires you to enable the CSF GUI first immediately after firewall installation. We will see the steps to enable CSF Firewall in great detail. More about CSF.

How to Enable CSF Firewall GUI on Ubuntu 20.04 LTS

Also Read: [Solved] Failed to Start ConfigServer Firewall & Security - lfd Error

Step 1: Prerequisites

a) You should have a running Ubuntu 20.04 LTS Server.

b) You should have sudo or root access to run privileged commands.

c) You should have apt or apt-get utility available in your System.

d) You should have CSF Firewall installed in your Server.

Step 2: Update Your Server

Before installing any new dependencies, it is always preferred to check for update once. You can run apt update or apt-get update command and verify all the installed packages are updated.

root@localhost:~# apt update
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Ign:3 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:5 https://artifacts.elastic.co/packages/oss-7.x/apt stable InRelease [10.4 kB]
Hit:6 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release
Hit:7 https://dl.google.com/linux/chrome/deb stable InRelease
Get:8 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:9 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,388 kB]
Get:10 http://in.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [571 kB]

Step 3: Install Dependencies

Before enabling CSF GUI, it is important to install all the dependencies required by the smooth functioning of GUI Interface. This can be easily done by using below apt-get install command.

root@localhost:~# apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl -y

Step 4: Enable CSF GUI

For enabling CSF GUI you need to setup Integrated User Interface section in csf.conf configuration file. Here you need to set UI=1 to enable User Interface in restricted mode. Then set UI_PORT to any port which is not already being used and with value greater than 1023. Since here I am using Port 8080 so I am setting UI_PORT=8080.

Next we need to set UI_IP value. If you want you can leave this blank to bind all the IP Addresses to this Server but here I am binding my local IP address 192.168.29.110 by setting UI_IP=192.168.29.110. Then you need to specify the User and Password using UI_USER and UI_PASS. For the demo purpose, I am setting User as admin and Password as Test@123$.

root@localhost:~# nano /etc/csf/csf.conf
###############################################################################
# SECTION:Integrated User Interface
###############################################################################
# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
# without requiring a control panel or web server. The UI runs as a sub process
# to the lfd daemon
#
# As it runs under the root account and successful login provides root access
# to the server, great care should be taken when configuring and using this
# feature. There are additional restrictions to enhance secure access to the UI
#
# See readme.txt for more information about using this feature BEFORE enabling
# it for security and access reasons
#
# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "8080"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = "192.168.29.110"

# This should be a secure, hard to guess username
#
# This must be changed from the default
UI_USER = "admin"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "Test@123$"

Step 5: Allow IP

Next you need to allow the IP from where you are going to access CSF GUI. You can either allow the entire subnet or you can also choose to allow some specific IP Address like below.

root@localhost:~# nano /etc/csf/ui/ui.allow
192.168.29.241

Step 6: Apply Configuration

Then apply the configuration by using csf -r command. This will update all the changes done in CSF Firewall.

root@localhost:~# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
......................................

Step 7: Restart Service

Then swiftly restart csf and lfd service by using systemctl restart csf command and systemctl restart lfd command as shown below.

root@localhost:~# systemctl restart csf
root@localhost:~# systemctl restart lfd

Step 8: Open CSF GUI

Open your favorite browser and use URL https://192.168.29.110:8080 to access CSF GUI. Since I was having some problem accessing GUI interface on Google Chrome and Firefox browser so I have opened it in my one of the Windows machine Edge browser available in the same network. Once opened, you will see a page like below where it will ask you to enter Username and Password. You need to enter the same Username and Password which you set earlier in csf.conf file. Once done then Press Enter.

Once logged in, you will be redirected to below page where you will be able to see the Firewall Status and other configuration that you can now setup through GUI Interface.

Step 9: Troubleshooting 

a) If you face any issue during CSF Firewall GUI enabling then it is always recommended to first check /var/log/lfd.log file for any error.

root@localhost:~# nano /var/log/lfd.log 
Dec 7 12:23:57 localhost lfd[1147]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:23:57 localhost lfd[1147]: daemon stopped
Dec 7 12:46:35 localhost lfd[4455]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:46:35 localhost lfd[4455]: daemon stopped
Dec 7 12:58:23 localhost lfd[6433]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:58:23 localhost lfd[6433]: daemon stopped
Dec 7 13:10:05 localhost lfd[6607]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 13:10:05 localhost lfd[6607]: daemon stopped

b) If you are trying to access CSF GUI Interface from Google Chrome or Mozilla Firefox browser and if you are encountering connection refused error then you may want to try once with Microsoft Edge or Safari or with any other browser you have. Sometimes Google Chrome and Firefox does not allow to access some specific port due to Security Issue.

c) Sometimes you might need to check below files and see if your IP is allowed to access CSF GUI Interface.

root@localhost:~# nano /etc/csf/ui/ui.ban
root@localhost:~# nano /etc/csf/csf.deny