Having csf/lfd in a cluster greatly simplifies its administration, and possibly the load of the server, since any hackers, spammers and DOS-ers out there are automatically blocked on all participating servers.

I am assuming the following simple configuration – two servers with, say, these IPs and, respectively and both have csf/lfd installed.

Follow these steps to configure csf/lfd in a cluster:

  1. log in to the first server, which will be the “master”, and edit the configuration file for csf/lfd, which is /etc/csf/csf.conf – Plugins/ConfigServer Security&Firewall, the “csf – ConfigServer Firewall” caret, the “Firewall Configuration” button.
  2. search for the “CLUSTER_SENDTO” setting, which is the first setting in the “lfd Clustering” section, and insert the IP of the second server there:

  4. If you have more than two servers, just insert the respective IPs, separated by a comma:

  6. Then set the “CLUSTER_RECVFROM” variable to the IP of the second server again:

  8. Set the CLUSTER_MASTER variable to the IP of the master server:

  10. The default port is set to 7777, but you can change it if you want:
  11. CLUSTER_PORT = “7777”

  12. And you must set the cluster key to a random, 20 or more character string, to encrypt the cluster communication:
  13. CLUSTER_KEY = “012345678901234567890123456789012345678901234567890123456”

  14. Now enable the cluster:
  15. CLUSTER_BLOCK = “1”

  16. Since this server is the master one, it needs not receive any configuration changes from itself, so disable it:
  17. CLUSTER_CONFIG = “0”

  18. Now log in to the other server and replicate the configuration there, with some changes:
    • CLUSTER_SENDTO and CLUSTER_RECVFROM must point to the first, master server
    • the second server must receive configuration changes from the master, so set CLUSTER_CONFIG to 1:


    Remember that lfd uses 10 seconds timeouts in its cluster communication, so if the communication fails, that member’s configuration changes will be lost.

    csf – ConfigServer Firewall