Add ipset in Firewall to increase performance
Please extend the Firewall / Concept to make the use of ipset, because it is generally the fastest solution i found so far. Chains like "f2b-recidive" can also be implemented as ipset list. This will speed up the whole process while adding or removing ips. I dont know if there is a cidr support in ipset...
For example, remove the following chain:
f2b-plesk-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
And extend the firewall with a native DROP on the ports as described below:
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 match-set f2b-plesk-postfix src
And then (or before?) just create the ipset (which must be installed in package manager):
ipset create f2b-plesk-postfix
ipset add f2b-plesk-postfix 192.168.0.1
ipset add f2b-plesk-postfix 192.168.0.2
ipset add f2b-plesk-postfix 192.168.0.3
The firewall backend must only be updated to make the use of this commands if ipset is supported. Only to note: There must also be a Backup mechanism for that, and we could do that with "ipset save" and "ipset restore" in a quick way.
With ipset setups we blocked almost over 900k of ips without any performance issues...
![](https://secure.gravatar.com/avatar/71a598f67b45cbbebd8e023b4d6d98d9?size=40&default=https%3A%2F%2Fassets.uvcdn.com%2Fpkg%2Fadmin%2Ficons%2Fuser_70-6bcf9e08938533adb9bac95c3e487cb2a6d4a32f890ca6fdc82e3072e0ea0368.png)
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
ET
-
EhudZ commented
The Plesk FireWall using IPTABLES has issues with memory, which as I understand, IPSET does not suffer from. The option to use IPSET Plesk FireWall is welcomed!
-
Carl commented
Yes please.
I think it's wrong for us to pay for an extension to have this basic functionality.In my opinion there could be a thing called " advanced firewall editor " where you can manually write iptables rules.