Hello there,
I'm hobbyist running CentOS 6.5 on 1 GB RAM VPS where I have my mailserver, jabber, groupware and some other web services. I already know about systemd from Arch Linux so I'm working on scripts so I can deploy my setup on CentOS 7. I'm testing it in VMware Workstation on my desktop also with 1 GB RAM and total 2 processor cores (based on i7 3770k).
I want to use the current tools and avoid obsolete methods (and mostly learn new stuff) so I migrated my iptables configuration to Firewalld. With iptables I use something like
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 22,80,143,443,587,993,4190,5222 -s 85.70.0.0/15 -j ACCEPT
to limit some services only to my country (Czech Republic) as there's no need for me to waste bandwidth thanks to various bots. Other services (SMTP, XMPP S2S) are open from everywhere. In the end iptables is set to allow access from 1100 various ipv4 and ip6 ranges in total.
1) I tried generating Firewalld config using following line in a script
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=85.70.0.0/15 service name=ssh accept"
running in loop but after waiting few minutes it became painfully slow (single firewall-cmd took something around one second to finish).
So I had to write a script creating the actual xml (/etc/firewalld/zones/public.xml) which finished within few seconds (public.xml is now 1.5 MB large - comparing to 150 kB iptables config).
1b) I also received following error when I stopped my running batch and entered new command manually (not sure if something like that is expected):
# firewall-cmd --permanent --zone=public --add-service=ssh ERROR:dbus.proxies:Introspect error on :1.6126:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. success
2) When I started firewalld service it took several minutes (5 or 10) until I could finally establish new connection. The whole time top showed 49% sy (so I suppose full usage of single core).
3) When cpu settled, the memory usage reported by top still showed more than 10% (of 1 GB RAM). PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 61972 root 20 0 411692 105252 6248 S 0.0 10.4 0:25.70 firewalld
My thought/question: - Ok, I can still use iptables but I would expect Firewalld to be equally good or better (in terms of performance). It uses too much cpu power and memory. - Am I even using it right? Or is there other tool I should use instead?
Best regards, Marcel Dopita
Hello,
On 08/04/2014 12:44 AM, Marcel Dopita wrote:
Hello there,
I'm hobbyist running CentOS 6.5 on 1 GB RAM VPS where I have my mailserver, jabber, groupware and some other web services. I already know about systemd from Arch Linux so I'm working on scripts so I can deploy my setup on CentOS 7. I'm testing it in VMware Workstation on my desktop also with 1 GB RAM and total 2 processor cores (based on i7 3770k).
I want to use the current tools and avoid obsolete methods (and mostly learn new stuff) so I migrated my iptables configuration to Firewalld. With iptables I use something like
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 22,80,143,443,587,993,4190,5222 -s 85.70.0.0/15 -j ACCEPT
to limit some services only to my country (Czech Republic) as there's no need for me to waste bandwidth thanks to various bots. Other services (SMTP, XMPP S2S) are open from everywhere. In the end iptables is set to allow access from 1100 various ipv4 and ip6 ranges in total.
- I tried generating Firewalld config using following line in a script
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=85.70.0.0/15 service name=ssh accept"
Please use ipsets. This will not only speed up the handling in firewalld, but will also increase the throughput of your firewall itself.
For ipset usage in firewalld, please have a look at this: http://marc.info/?l=firewalld-users&m=140553744432201&w=2
ipset integration into firewalld is on the todo list and will be worked on shortly. Then it will also be usable within zones.
running in loop but after waiting few minutes it became painfully slow (single firewall-cmd took something around one second to finish).
So I had to write a script creating the actual xml (/etc/firewalld/zones/public.xml) which finished within few seconds (public.xml is now 1.5 MB large - comparing to 150 kB iptables config).
1b) I also received following error when I stopped my running batch and entered new command manually (not sure if something like that is expected):
# firewall-cmd --permanent --zone=public --add-service=ssh ERROR:dbus.proxies:Introspect error on :1.6126:/org/fedoraproject/FirewallD1/config: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. success
- When I started firewalld service it took several minutes (5 or 10)
until I could finally establish new connection. The whole time top showed 49% sy (so I suppose full usage of single core).
- When cpu settled, the memory usage reported by top still showed more
than 10% (of 1 GB RAM). PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 61972 root 20 0 411692 105252 6248 S 0.0 10.4 0:25.70 firewalld
My thought/question:
- Ok, I can still use iptables but I would expect Firewalld to be
equally good or better (in terms of performance). It uses too much cpu power and memory.
- Am I even using it right? Or is there other tool I should use instead?
Best regards, Marcel Dopita
Regards, Thomas
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users@lists.fedorahosted.org