Search Our Database
Understanding the Difference Between CC_ALLOW, CC_DENY, and CC_IGNORE in CSF
Introduction
ConfigServer Security & Firewall (CSF) is a popular firewall configuration script used to secure Linux servers. One of its key features is country-based IP filtering using CIDR lists of allocated IP blocks per country. This is particularly useful for blocking or allowing traffic based on geographic location using the Country Code (CC) system defined by ISO 3166-1 alpha-2 country codes (e.g., US for United States, CN for China).
The directives CC_ALLOW, CC_DENY, and CC_IGNORE in CSF allow administrators to manage traffic from specific countries. Despite appearing similar, these directives serve very different purposes and operate under different scopes and behaviors.
This article explains the precise differences between CC_ALLOW, CC_DENY, and CC_IGNORE, their priorities, when each should be used, and their interactions with other firewall rules. Understanding these directives helps administrators implement effective geoblocking strategies, reduce malicious traffic, and optimize server-level access control.
These rules are part of country code filtering, which depends on the MaxMind GeoLite2 database. It is essential to ensure that CSF is properly configured and up to date to use these features effectively.
Prerequisites
- CSF version 12.00 or higher installed
- Country code filtering enabled (CC_LOOKUPS = “1”)
- Access to the MaxMind GeoLite2 database
- Root or sudo access
- A working Linux server (e.g., CentOS, Debian, Ubuntu)
Comparing CC_ALLOW, CC_DENY, and CC_IGNORE
Understanding CC_ALLOW
The CC_ALLOW directive permits incoming connections from IP ranges that belong to the specified country codes. It only works if CC_ALLOW_FILTER is set to “1”.
CC_ALLOW = "US,CA"
- This will allow traffic from the United States and Canada.
- When CC_ALLOW_FILTER = “1”, only the countries listed in CC_ALLOW are permitted; all others are denied.
Understanding CC_DENY
The CC_DENY directive blocks all traffic from IPs that belong to the specified countries.
CC_DENY = "CN,RU"
- This will deny all traffic originating from China and Russia.
- Other traffic is allowed unless denied elsewhere.
Understanding CC_IGNORE
The CC_IGNORE directive tells CSF to ignore country filtering for the listed countries. This applies primarily in LF_COUNTRY_CODE blocking triggered by login failure patterns (e.g., SSH, IMAP).
CC_IGNORE = "US,MY"
- These country codes will be ignored in login failure-based blocking, such as from lfd.
- Useful when certain countries generate many false positives.
Step 4: Precedence and Behavior Summary
| Directive | Action | Applies To | Overrides Other Rules |
|---|---|---|---|
| CC_ALLOW | Allow only listed countries | All inbound traffic (if filter enabled) | Yes, with CC_ALLOW_FILTER |
| CC_DENY | Block listed countries | All inbound traffic | No (respects csf.allow) |
| CC_IGNORE | Exclude from geo-triggering | Login failure detection (lfd) | Yes, for lfd blocks |
Conclusion
The CC_ALLOW, CC_DENY, and CC_IGNORE directives in CSF offer a flexible mechanism for managing access based on country codes. CC_ALLOW (when used with CC_ALLOW_FILTER) creates a whitelist, CC_DENY adds countries to a blocklist, and CC_IGNORE prevents login failure bans for specific countries. Using these settings effectively requires understanding their scope and interaction with other CSF and LFD rules.
Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.