Disclaimer:
Please bear in mind that the ConfigServer Security & Firewall (AKA CSF) plugin is a third-party software and is not part of cPanel's suite of software, so as a result its provision, configuration, and management are beyond the scope of our support. Please note that cPanel, LLC only supports the cPanel-provided software and does not provide general system/network administration services or support for third-party software.
The purpose of this guide is purely informational and as such cPanel, LLC will not assume responsibility for any potential adverse outcomes that might arise from its adoption. You may, therefore, wish to seek assistance from a qualified system administrator regarding any potential issues, as one would have the tools and knowledge in order to assist you.
Furthermore, CSF has their own support channel, forum, and ticketing system, so you always can/should refer to this link in case you require further assistance with any issues concerning CSF:
https://www.configserver.com/cp/csf.html
Symptom:
When checking the LFD service with the systemctl command you will see this:
systemctl status lfd.service
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2020-12-01 20:54:11 IST; 10min ago
Process: 11119 ExecStart=/usr/sbin/lfd (code=exited, status=1/FAILURE)
Dec 01 20:54:10 host.domain.tld systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Dec 01 20:54:11 host.domain.tld lfd[11119]:Error: You have an unresolved error when starting csf. You need to restart csf successfully before starting lfd (s...csf.error)
Dec 01 20:54:11 host.domain.tld systemd[1]: lfd.service: control process exited, code=exited status=1
Dec 01 20:54:11 host.domain.tld systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
Dec 01 20:54:11 host.domain.tld systemd[1]: Unit lfd.service entered failed state.
Dec 01 20:54:11 host.domain.tld systemd[1]: lfd.service failed.
The error indicates that you need to restart the CSF service before being able to start the LFD service. However, when you check the CSF service you notice that the service has failed with the following error:
systemctl status csf.service -l
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2020-11-30 20:13:09 IST; 24h ago
Main PID: 943 (code=exited, status=1/FAILURE)
Nov 30 20:12:56 host.domain.tld systemd[1]: Starting ConfigServer Firewall & Security - csf...
Nov 30 20:13:09 host.domain.tld csf[943]: You have an unresolved error when starting csf:
Nov 30 20:13:09 host.domain.tld csf[943]:Error: FASTSTART: (Packet Filter IPv4) [] [iptables-restore: line 14 failed]. Try restarting csf with FASTSTART disabled, at line 5584 in /usr/sbin/csf
Nov 30 20:13:09 host.domain.tld csf[943]:You need to restart csf successfully to remove this warning, or delete /etc/csf/csf.error
Nov 30 20:13:09 host.domain.tld systemd[1]: csf.service: main process exited, code=exited, status=1/FAILURE
Nov 30 20:13:09 host.domain.tld systemd[1]: Failed to start ConfigServer Firewall & Security - csf.
Nov 30 20:13:09 host.domain.tld systemd[1]: Unit csf.service entered failed state.
Nov 30 20:13:09 host.domain.tld systemd[1]: csf.service failed.
Explanation:
The issue has to do with the FASTSTART option being enabled in /etc/csf/csf.conf, which you can confirm by running the following command:
grep -ir 'FASTSTART = "1"' /etc/csf/*/etc/csf/csf.conf:FASTSTART = "1"
This option is not supported on all operating systems, Below you will find a short description of what this option does:
# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
# IP6TABLES_RESTORE in two ways:
#
# 1. On a clean server reboot the entire csf iptables configuration is saved
# and then restored where possible to provide a near instant firewall
# startup[*]
#
# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
# BOGON, TOR are loaded using this method in a fraction of the time than if
# this setting is disabled
#
# [*]Not supported on all OS platforms
Workaround:
Edit CSF's main config file located at /etc/csf/csf.conf and disable FASTSTART by editing FASTSTART = “1” to FASTSTART = “0”. Once the change is made restart CSF's rules by running the following command:
csf -r
After this, check both services and if any of them has not started automatically you can now restart them manually by using the systemctl command like this:
systemctl start csf.service
systemctl start lfd.service