warning

Pyxsoft Firewall is currently in its beta phase. Some features may be incomplete or subject to change.

PXF — Firewall CLI for RHEL 7/8/9

PXF is a minimal, reliable CLI that manages a Linux firewall (iptables/ip6tables or nftables) via a journaled, declarative workflow. All mutating commands only append to a JSONL journal; nothing touches the kernel until you run pxf apply. IP blocks are persisted to survive reboots (with TTL support for temporary blocks).

RHEL 7/8/9: auto-detects legacy iptables, iptables-nft, or native nftables.
Declarative & idempotent: desired state is rebuilt from the journal and applied in one shot.
IP block persistence: blocked IPs (permanent and temporary) survive reboots with automatic expiration handling.
Allowlist priority: allowed IPs (bastions) always bypass blocks and closed ports.
Kill switch: pxf disable forces ALLOW ALL at runtime until pxf enable.
IPv4/IPv6 everywhere, fast IP allow/deny using sets (ipset or nft sets).
Port forwarding: classic redirect and transparent redirect that hides backend ports.
Selective per-port denies: block specific source CIDRs to a port even if that port is globally open.
Script/GUI friendly: consistent --json / --yaml envelopes for CGI/React integration.
firewalld integration: pxf firewalld status|disable|enable.

Requirements

OS: RHEL 7/8/9 (or compatible).
Backends & binaries
- nftables: nft + kernel module nf_tables (no ipset required).
- iptables (legacy or nft wrapper): iptables, ip6tables, ipset + kernel modules ip_tables, ip6_tables.

Conflicting Firewalls (must be disabled)

Before installing PXF Firewall, you must disable any other firewall or security layer that manages iptables/nftables. Running multiple systems in parallel will cause conflicts.

The following services should be disabled:

firewalld (default firewall in RHEL/CentOS/Alma/Rocky)
CSF (ConfigServer Security & Firewall) and its daemon LFD (Login Failure Daemon)
Imunify360 Firewall (and ideally the full Imunify360 suite)

PXF fully replaces these layers and, if installed, integrates directly with Pyxsoft Security Suite (including Real WAF and Anti-Malware) for advanced protection.

🔹 Disable firewalld

systemctl stop firewalld
systemctl disable firewalld

Verify:

systemctl status firewalld

🔹 Disable CSF and LFD

csf -x
systemctl stop csf lfd
systemctl disable csf lfd

Optionally uninstall:

yum remove csf -y   # CentOS/RHEL
apt remove csf -y   # Debian/Ubuntu

🔹 Disable Imunify360

To disable only the firewall:

imunify360-agent features disable firewall

👉 Recommended: Completely disable Imunify360 since PXF + Pyxsoft Security Suite provides full protection:

systemctl stop imunify360
systemctl disable imunify360

✅ Quick Checklist

# firewalld
systemctl stop firewalld
systemctl disable firewalld

# CSF + LFD
cd /etc/csf
sh uninstall.sh

# Imunify360
imunify360-agent features disable firewall
systemctl stop imunify360
systemctl disable imunify360

Installation

Install the Pyxsoft Repository:

curl -s https://repo.pyxsoft.com/public-tools/setup-repo.sh | REPO_NAME="pyxsoft" OS="any" bash

Install the PXF CLI:

yum install pyxsoft-pxf

Check the installation

pxf validate --yaml   # or --json

Data locations (defaults)

State: /var/lib/pxf/state.json (includes Disabled: bool)
Journal: /var/lib/pxf/journal.jsonl (one JSON object per line)
Lock: /var/lock/pxf.lock
Ini file: /etc/pxf/pxf.ini

Requirements​

Conflicting Firewalls (must be disabled)​

🔹 Disable firewalld​

🔹 Disable CSF and LFD​

🔹 Disable Imunify360​

✅ Quick Checklist​

Installation​

Check the installation​

Data locations (defaults)​