"The idea with csf, as with most iptables firewall configurations, is to block
everything and then allow through only those connections that you want. This is
done in iptables by DROPPING all connections in and out of the server on all
protocols. Then allow traffic in and out from existing connections. Then open
ports up in and outgoing for both TCP and UDP individually.
This way we can control exactly what traffic is allowed in and out of the
server and helps protect the server from malicious attack."
'via Blog this'