CFM: A Modern Firewall and Intrusion Detection Manager Built for the Post-CSF Era

by

When CSF (ConfigServer Firewall) announced it was closing, it left a big hole in the Linux hosting world.
CSF had been the de-facto standard for years — a reliable mix of iptables, Perl scripts, and clever wrappers that kept countless servers secure.

But for those of us who’ve been running modern systems, one question was already forming:

“What if we built the firewall we always wanted CSF to be?”

and yeap, it’s live! @https://github.com/chrismfz/cfm/

🔥 From FlowEnricher to CFM

When that announcement dropped, I already had experience with flowenricher, a Go-based network telemetry and enrichment engine I had written earlier.
It handled BGP, ASN, GeoIP, DNS, Kafka, ClickHouse — the full stack of modern network visibility.

So the idea came naturally:
If we can enrich and analyze flows in real-time, why not manage the firewall the same way — clean, binary, self-contained, and intelligent?

That became CFM — the Configurable Firewall Manager.

💡 What Makes CFM Different

CFM isn’t a Perl or Python script glued to iptables.
It’s a compiled Go binary with a native nftables backend, NFLOG integration, and real detection logic — not log chasing.

There are no wrappers, no cronjobs patching rules, and no dependency soup.
CFM talks directly to the kernel and acts instantly.

You can think of it as a firewall, IDS, and policy engine, all in one.

🧱 Firewall Core

At its heart, CFM manages a dedicated nftables table (inet cfm) with complete control over priorities and hooks — meaning it can run before or after tools like Imunify360.

It supports:

  • Manual and dynamic allow/block lists (IPv4 & IPv6).

  • Port policy enforcement like CSF’s TCP_IN, UDP_IN.

  • External blocklist feeds via cfm.blocklists.

  • SMTP_BLOCK mode to stop rogue PHP scripts from sending mail directly.

The result: a native nft firewall that behaves exactly how you want, every time you reload.

⚡ Built-In Protections

CFM ships with kernel-level protections that most admins used to configure by hand:

  • ConnLimit and PortFlood per port/IP.

  • Packet-per-second (PPS) and SYN rate limits.

  • Bad TCP flag detection (NULL, XMAS, SYN+FIN).

  • ICMP and new connection throttles.

  • AckGuard — a custom module that drops fake ACK, RST, and SYN/ACK floods.

These aren’t log patterns — they’re enforced live through nftables counters and maps.

🔍 Smart Detection Engine

Instead of chasing grepped logs, CFM’s detectors parse structured input and metrics directly from services like:

  • Exim, SSH, Dovecot, FTP, MySQL, cPanel, ModSecurity

  • Even system metrics — CPU, memory, conntrack, throughput, disk health

Each detector can autoblock offenders with configurable TTLs or permanent bans.

You can tune every detector individually — throttle it, dry-run it, or fully automate it.

🚨 Autoblock Logic — “The Police on Top of Speed Bumps”

Traditional defenses (rate limits, connlimits, etc.) are speed bumps:
they slow down abuse but don’t eject the offender.

Autoblock is the police:
if an IP keeps hitting those speed bumps too many times, it gets pulled over — and banned.

It counts strikes, aggregates reasons (SSH_BRUTE, PORTSCAN, CONNLIMIT…), and escalates from throttling to full blocking.
TTL-based bans expire automatically; permanent ones stick until you say otherwise.

🛡 System Hardening

CFM can automatically apply and persist sysctl hardening:

  • Anti-spoofing and redirect protection

  • Tuned TCP timeouts and retries

  • Scaled conntrack limits

  • Optional persistent /etc/sysctl.d/cfm.conf

This isn’t just a firewall — it’s a system security baseline.

🌍 Enrichment and Visibility

Every detection or autoblock is enriched with GeoIP, ASN, ASN name, and PTR hostname using MaxMind databases.

That means your notifications, logs, and API outputs don’t just say “blocked 47.237.101.145” — they say:

[CFM] titan.myip.gr — autoblock 47.237.101.145 (AS45102 Alibaba US Technology Co., Ltd., Singapore) reason=PORTSCAN ttl=1h

No more guesswork about who or what was behind an attack.

🧠 Notifications and API Integration

CFM can alert via:

  • Email (local or remote SMTP),

  • Slack webhook,

  • or JSONL logs for integration with your own tools.

It can also sync with a central controller API for global blocks/unblocks — something CSF users had been begging for for years.

🧩 Developer-Friendly and Self-Contained

The CLI is clean and instant:

cfm block 1.2.3.4 -r SSH_BRUTE –ttl 1h
cfm list
cfm which 8.8.8.8
cfm daemon

Changes apply live — no restart needed.
Configs (cfm.conf, detectors.conf, notify.conf, cfm.blocklists) are simple and reload automatically.

Everything is in /etc/cfm and /var/log/cfm.

🔭 Road Ahead

The roadmap includes:

  • Telegram/webhook notifiers,

  • Machine learning-based anomaly detection,

  • ASN/Country-based grace periods,

  • And extended system-level monitoring (uid/gid/nflog/syslookup).

💬 Final Thoughts

CFM was born out of necessity — but built with a vision:
to finally merge firewall policy, detection, and automation into a single, fast, Go-based daemon.

It doesn’t parse logs in Perl, doesn’t depend on iptables, and doesn’t require cron restarts.
It simply runs, protects, and learns.


CFM is not just a replacement, but an evolution.

API Testing:

CLI testing:

web interface

status page + cpu usage:

email notificationswebinterface:
smtp block feature

 

httpd/litespeed/nginx top: