Anyone have some experience to share on how ConfigServer Security & Firewall (csf) compares to the APF firewall

well... apf ultimately uses iptables. Why not kill the middle man, and just use iptables?

I switched from APF to CSF.

CSF is nice, as it adds a module into the WHM module in Cpanel where you can configure the firewall from Cpanel.

Not really sure of the difference between the 2 though other than that.

Honestly, I don't know that I myself could do a better iptables setup than it does with the easily and quickly configurable options, and I believe it would take me much longer to enter the iptables rules manually than using apf to do so.

One feature that I thought was quite interesting is that CSF has the additional option to watch mod_security logs (I believe in realtime vs. every x-minutes ?) and automatically ban ips after so many mod_security infractions which seems like a powerful option. But I'm hesitant to switch from APF after using it for so many years now.

I was hesitant as well switching to CSF / LFD after using APF / BFD for such a long time, but they both operate in mostly the same way.

I'm happy with it.

I am in the same boat, and have not looked back

iptables tutorials:
advanced: http://iptables-tutorial.frozentux.net/ipt...s-tutorial.html
basic: http://www.justlinux.com/nhf/Security/IPtables_Basics.html

There are actually quite a few benefits of learning iptables in and out. There are some extensions, I believe the package itself is called patch-o-matic... It enables you to do tons of new things that are years ahead of APF, and CSF.

Here is a list of some of the new extensions: http://www.collaborium.org/onsite/benin/do...ns-HOWTO-3.html

I just switched to CSF myself, mainly for the WHM mod.
Easy install, Easy Setup, Well Documented with a Gui. Couldnt pass it up

Z

If anyone else is considering the same and is concerned about the level of knowledge needed to write iptable rules, there's a great FREE program called Firewall Builder (http://www.fwbuilder.org/). It really takes the strain out of iptables.

Encouraging the use of and learning iptables for any administrator is something I will never detract from; having an intimate knowledge of iptables and tcp/ip is an invaluable tool to say the least.

Having said that however APF already makes use of features from POM (patch-o-matic) and has for many years which is one of the reasons why it is such a mature project and has stood strong with the test of time. For example the most recent additions to APF in the middle of last year include the RAB (reactive address blocking) subsystem that make use of the ipt_recent module.

# The use of RAB is such that it allows the firewall to track an address as it
# traverses the firewall rules and subsequently associate that address across
# any number of violations. This allows the firewall to react to critical
# policy violations by blocking addresses temporarily on the assumed precaution
# that we are protecting the host from what the address may do on the pretext
# of what the address has already done. The interface that allows RAB to work
# resides inside the kernel and makes use of the iptables 'ipt_recent' module,
# so there is no external programs causing any additional load.

The RAB subsystem also integrates a built in port scan detection system in addition to policy based violation blocks that have proved extremely reliable with a near zero false-positive rate.

The pro/con breakdown for CSF/APF stack up pretty high on both sides, at the end of the day it comes down to personal preference of a mature specialized firewall VS a more generalized suite oriented project.