Hello,
On 08/04/2014 12:44 AM, Marcel Dopita wrote:
Hello there,
I'm hobbyist running CentOS 6.5 on 1 GB RAM VPS where I have my
mailserver, jabber, groupware and some other web services. I already
know about systemd from Arch Linux so I'm working on scripts so I can
deploy my setup on CentOS 7. I'm testing it in VMware Workstation on my
desktop also with 1 GB RAM and total 2 processor cores (based on i7 3770k).
I want to use the current tools and avoid obsolete methods (and mostly
learn new stuff) so I migrated my iptables configuration to Firewalld.
With iptables I use something like
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports
22,80,143,443,587,993,4190,5222 -s 85.70.0.0/15 -j ACCEPT
to limit some services only to my country (Czech Republic) as there's no
need for me to waste bandwidth thanks to various bots. Other services
(SMTP, XMPP S2S) are open from everywhere.
In the end iptables is set to allow access from 1100 various ipv4 and
ip6 ranges in total.
1) I tried generating Firewalld config using following line in a script
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source
address=85.70.0.0/15 service name=ssh accept"
Please use ipsets. This will not only speed up the handling in
firewalld, but will also increase the throughput of your firewall itself.
For ipset usage in firewalld, please have a look at this:
http://marc.info/?l=firewalld-users&m=140553744432201&w=2
ipset integration into firewalld is on the todo list and will be worked
on shortly. Then it will also be usable within zones.
running in loop but after waiting few minutes it became painfully
slow
(single firewall-cmd took something around one second to finish).
So I had to write a script creating the actual xml
(/etc/firewalld/zones/public.xml) which finished within few seconds
(public.xml is now 1.5 MB large - comparing to 150 kB iptables config).
1b) I also received following error when I stopped my running batch and
entered new command manually (not sure if something like that is expected):
# firewall-cmd --permanent --zone=public --add-service=ssh
ERROR:dbus.proxies:Introspect error on
:1.6126:/org/fedoraproject/FirewallD1/config:
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did
not receive a reply. Possible causes include: the remote application did
not send a reply, the message bus security policy blocked the reply, the
reply timeout expired, or the network connection was broken.
success
2) When I started firewalld service it took several minutes (5 or 10)
until I could finally establish new connection. The whole time top
showed 49% sy (so I suppose full usage of single core).
3) When cpu settled, the memory usage reported by top still showed more
than 10% (of 1 GB RAM).
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
61972 root 20 0 411692 105252 6248 S 0.0 10.4 0:25.70
firewalld
My thought/question:
- Ok, I can still use iptables but I would expect Firewalld to be
equally good or better (in terms of performance). It uses too much cpu
power and memory.
- Am I even using it right? Or is there other tool I should use instead?
Best regards,
Marcel Dopita
Regards,
Thomas
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users