I want to use the current tools and avoid obsolete methods (and mostly learn new stuff) so I migrated my iptables configuration to Firewalld. With iptables I use something like
Code: Select all
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 22,80,143,443,587,993,4190,5222 -s 85.70.0.0/15 -j ACCEPT
In the end iptables is set to allow access from 1100 various ipv4 and ip6 ranges in total.
1) I tried generating Firewalld config using following line in script
Code: Select all
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=85.70.0.0/15 service name=ssh accept"
So I had to write a script creating the actual xml (/etc/firewalld/zones/public.xml) which finished within few seconds (public.xml is now 1.5 MB large - comparing to 150 kB iptables config).
2) When I started firewalld service it took several minutes (5 or 10) until I could finally establish new connection. The whole time top showed 49% sy (so I suppose full usage of single core).
3) When cpu setteled, the memory usage reported by top still showed more than 10% (of 1 GB RAM).
Code: Select all
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
61972 root 20 0 411692 105252 6248 S 0.0 10.4 0:25.70 firewalld
- Ok, I can still use iptables but I would expect Firewalld to be equally good or better (in terms of performance). It uses too much cpu power and memory.
- Am I even using it right? Or is there other tool I should use instead?