#1 2016-09-27 11:54:42

LowEnder
Trusted Member
Registered: 2015-08-21
Posts: 38

ipset

I know ipset is not essential as in you can work around not having it by adding individual rules for all the ips/ranges in your set but even for smaller sets this gets ugly fast. For example i have no intention to ever exchange packets with a certain network that hosts scanners and seems to supply them with what looks like random ips from a large amount of ranges they own (yeah, could be zombies but its always the same kind of scan originating just from this network so i have my doubts and i have grown to be very annoyed with them cluttering my logs with their useless, often hourly attempts). Without ipset those guys alone make up for at least 9 firewall rules (assuming i just want to drop incoming traffic). With ipset i can dump them and all their annoying friends in one tidy set and just use this as a drop condition in iptables. Same goes for forwarding rules dropping internal ranges. Basically ipset saves my ruleset from becoming a multipage monstrousity. Also it might save some resources on the node since it is said to be more efficient than individual rules. So if its possible and not to much work i think it would be nice to be able to use this.

Offline

#2 2016-09-27 13:02:48

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: ipset

Hi LowEnder,

Yep I would love to help with that however there is no ipset module in the openvz kernel and openvz do not support it at all, you would need to go full virt to use it.

Ant.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#3 2016-09-27 14:05:30

LowEnder
Trusted Member
Registered: 2015-08-21
Posts: 38

Re: ipset

Cool, thanks for looking into this.

No biggie if it's not possible. I've already patched my firewall script to check if it can use ipset and "emulate" it if it can't. Also good to know its an OpenVZ limitation. I've been playing with the idea of a "huge" forward drop list for some time now as there is quite a bit of ranges i dislike on a more personal basis. Don't think that would end well without ipset wink

Offline

#4 2016-09-27 14:16:58

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: ipset

With OpenVZ, the easy way to think about it is, do I 'need' iptables, if yes then use xen or kvm smile


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

Board footer