Install IPSET to CSF Firewall

Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF’s iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.

IP sets are a framework inside the Linux kernel that can store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.

Installing

To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:

yum install ipset

Ubuntu or Debian, run

apt-get install ipset

Configuring

Once ipset packages are installed, we need to configure CSF that ipset is available. We need edit CSF’s main config file:

nano /etc/csf/csf.conf

Change LF_IPSET from 0 to 1.

LF_IPSET = "1"

And finally, we need to reload CSF to apply our changes:

csf -r