Blocking Traffic by Country in the CSF Firewall Print

  • CSF, Firewall, IP Address, ConfigServer Security & Firewall, Block IP
  • 0

Filtering and managing traffic by country is one of the most requested features on cPanel servers. With ConfigServer Security & Firewall (CSF), you can do exactly that in WHM. While blocking traffic from specific countries can help reduce bandwidth, minimize exposure to security risks and ensure that your site content is viewable only in geographic locations where it is permitted, there are factors to consider before choosing to filter traffic at the country level.

You will want to consider the following before filtering:

  • Using country-level filtering will negatively impact performance and slow response times on your websites. This is because the CIDR range lists are large and your firewall must check each incoming IP address against the chosen lists.
  • A small percentage of unwanted traffic may still get through.
  • A small percentage of desired traffic may get blocked because:
    • The CIDR range lists used for country-level blocks are not 100 percent accurate.
    • Some Internet service providers and web services use non-geographic IP addresses for clients.
    • Proxy services and virtual private networks are used to mask a visitor's true geographic location.
  • Country level filtering applies only to incoming connections and outbound traffic is not affected.

Once you've taken into consideration the potential issues filtering and blocking by country may have on your site performance, you can open WHM and begin the process.


You will need to take a backup of your CSF Firewall Configuration prior to making changes. If you are unsure how to take a backup, see our article Backing Up Your CSF Firewall Configuration.
  1. In WHM, open the ConfigServer Security & Firewall (CSF) plugin. 
  2. From the home page of CSF, navigate to Firewall Configuration
  3. Use the drop-down menu at the top of the page to select Country Code Lists and Settings
  4. This will direct you to the Country Code Lists and Settings section of the firewall configuration. 


    Note: For a list of country codes, you can download it from Select the Download link from the GeoLite Country section under CSV/zip. This will download a human-readable document to your work station. 
  5. Enter the country code in the CC_DENY section under Country Code Lists and Settings
  6. Scroll down to the bottom of the page and click Change
  7. You will be directed to a page confirming the block and a request to restart CSF and LFD. Click Restart csf+lfd to restart your firewall and allow the change to be completed. 
  8. Once the restart process is completed, scroll to the bottom of the page and click Return to be directed back to the CSF home page.

Was this answer helpful?

« Back