Improve CSF iptables performance with ipset

Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.

IP sets are a framework inside the Linux kernel that can store IP addresses, networks, TCP/UDP port numbers, MAC addresses - or combinations of some/all of the prior. These IP sets are stored in a fast and efficient manor that allows for quick access and searching, plus seamless updates to the IP sets without having to reload iptables.

To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:

sudo yum install ipset -y


Or for an apt based Linux distro like Ubuntu or Debian, run:

sudo apt-get install ipset -y


Once ipset and its necessary supporting packages are installed, we need to tell CSF that ipset is available and ready to be used. We want to edit CSF's main config file:

nano /etc/csf/csf.conf

Then, we want to search for the lf_ipset line to make our changes:

CTRL+W to search in nano
Type lf_ipset and hit return

Alter the lf_ipset line to look like this:

LF_IPSET = "1"

Now we want to save our changes and exit nano:

CTRL+X then type Y and hit return


And finally, we need to reload CSF and LFD to apply our changes:

csf -r

  • 0 utilizatori au considerat informaţia utilă
Răspunsul a fost util?

Articole similare

Protect your Server Against the POODLE SSLv3 Vulnerability

Introduction On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol...

How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE

There’s a new POODLE in town, but unfortunately it’s not the kind of pooch you want around....

AbuseBSI: Offene NetBIOS-Namensdienste in AS24940

The other day received a letter from the Federal Office for Information Security ( BSI ) about...

CSF Error: *WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

Following the install of CSF (ConfigServer Security & Firewall) on some servers, you may...