Firewall & IP Management
Govern incoming and outgoing network traffic, manage blocking feeds, custom port rules, and country locks using cPGuard CLI tools.
Firewall Controls
Manage Firewall Service State
Get firewall daemon information:
cpgcli fw
Or check status explicitly:
cpgcli fw --status
Enable system firewall integration:
cpgcli fw --enable
Disable system firewall:
cpgcli fw --disable
Restart firewall engine to flush and reload tables:
cpgcli fw --restart
Switch active backend provider (e.g. nftables or iptables rules):
cpgcli fw --provider nftables
Toggle Security Integrations & Debug Modes
Configure CAPTCHA verification layer:
cpgcli fw --captcha enable
Disable Captcha:
cpgcli fw --captcha disable
Configure IP Reputation Threat database matches:
cpgcli fw --ipdb enable
Disable IPDB integration:
cpgcli fw --ipdb disable
Toggle detailed debug levels to trace packet actions inside /var/log files:
cpgcli fw --debug
Manage Fail2Ban Configurations
Enable/Disable Fail2Ban integration completely:
cpgcli fw --fail2ban enable
Check active jail status parameters:
cpgcli fw --fail2ban status
Force apply configuration files to custom jails:
cpgcli fw --fail2ban --enable-jail ssh-jail,postfix-jail
Lock / Whitelist Countries
Filter network requests by geographical region ISO codes (e.g., US, CN, IN):
Whitelist a specific country completely:
cpgcli fw --allow-country US
Remove country from allowed whitelist:
cpgcli fw --allow-country --remove US
List all whitelisted country configurations:
cpgcli fw --allow-country --list
Blacklist a country entirely:
cpgcli fw --deny-country CN
Remove a country from the blacklisted registry:
cpgcli fw --deny-country --remove CN
List blacklisted countries:
cpgcli fw --deny-country --list
Port Filtering Controls
Enabling Port Filtering will discard packets across all UDP/TCP interfaces except for port numbers explicitly whitelisted below.
Check active port-filter protection rules status:
cpgcli fw --port-filter status
Enable global Port Filter rules:
cpgcli fw --port-filter enable
Disable global Port Filter rules:
cpgcli fw --port-filter disable
Whitelisting allowed ports:
cpgcli fw --port tcp-in --add 22
Check all whitelisted inbound TCP rules:
cpgcli fw --port tcp-in --list
Remove an inbound port rule:
cpgcli fw --port tcp-in --remove 22
Configure ranges or protocols (e.g., UDP output):
cpgcli fw --port udp-out --add 80-90
IP Management
Check database parameters or assign target addresses, CIDR blocks, or external web feeds to white/blacklists.
Probe IP Registration Space
Check if a given host or client IP is registered in any active filter state (e.g. whitelist, temp-ban):
cpgcli ip --check 10.0.0.1
Access Lists Whitelist
Whitelist a static server or employee CIDR range:
cpgcli ip --allow 10.0.0.1 --reason 'Office Gateway'
Remove from the whitelist:
cpgcli ip --allow --remove 10.0.0.1
List current whitelisted IPs:
cpgcli ip --allow --list
Access Lists Blacklist
Block custom attacker address spaces permanently:
cpgcli ip --deny 203.0.113.0/24 --reason 'Abuse Node'
Remove from blacklisted registry:
cpgcli ip --deny --remove 203.0.113.0/24
List blocked IP resources:
cpgcli ip --deny --list
Temporary Rules (Auto-Expires)
Whitelist employees or API proxies temporarily:
cpgcli ip --temp-allow 10.0.0.1 --expiry 2h --reason 'Maintenance session'
Remove temporary allowances:
cpgcli ip --temp-allow --remove 10.0.0.1
Ban hostile attackers temporarily (supports m (minutes), h (hours), d (days)):
cpgcli ip --temp-ban 10.0.0.2 --expiry 30m --reason 'Brute Force attempt'
List current temporarily banned hosts:
cpgcli ip --temp-ban --list
Synchronize Remote Feeds & DDNS
Feed dynamic TXT files or URL blocks straight into lists:
cpgcli ip --allow-source https://trusted-cdn.net/approved_ips.txt
Remove remote feed integration:
cpgcli ip --allow-source --remove https://trusted-cdn.net/approved_ips.txt
Register Dynamic DNS hostname mapping endpoints:
cpgcli ip --ddns my-office.example.net
List ongoing dynamic DNS mappings:
cpgcli ip --ddns --list