Add ipset in Firewall to increase performance
Please extend the Firewall / Concept to make the use of ipset, because it is generally the fastest solution i found so far. Chains like "f2b-recidive" can also be implemented as ipset list. This will speed up the whole process while adding or removing ips. I dont know if there is a cidr support in ipset...
For example, remove the following chain:
f2b-plesk-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587
And extend the firewall with a native DROP on the ports as described below:
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 match-set f2b-plesk-postfix src
And then (or before?) just create the ipset (which must be installed in package manager):
ipset create f2b-plesk-postfix
ipset add f2b-plesk-postfix 192.168.0.1
ipset add f2b-plesk-postfix 192.168.0.2
ipset add f2b-plesk-postfix 192.168.0.3
The firewall backend must only be updated to make the use of this commands if ipset is supported. Only to note: There must also be a Backup mechanism for that, and we could do that with "ipset save" and "ipset restore" in a quick way.
With ipset setups we blocked almost over 900k of ips without any performance issues...
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
ET
-
EhudZ commented
The Plesk FireWall using IPTABLES has issues with memory, which as I understand, IPSET does not suffer from. The option to use IPSET Plesk FireWall is welcomed!
-
Carl commented
Yes please.
I think it's wrong for us to pay for an extension to have this basic functionality.In my opinion there could be a thing called " advanced firewall editor " where you can manually write iptables rules.