Firewalld and modsecurity owasp crs question.

Support for security such as Firewalls and securing linux
Post Reply
RRMedia
Posts: 16
Joined: 2014/10/12 00:12:46

Firewalld and modsecurity owasp crs question.

Post by RRMedia » 2014/10/16 14:54:46

Hello, first of all please excuse me for being new to unix-like systems.

I'm trying not to dive too deep into iptables and there's not much info on using firewalld without iptables so I have a question regarding my setup. I currently only have one vps but I have my interfaces split into two zones: eth is in a dmz and loopback and net are in a public zone...since I only have one server and Im not using loopback at the moment could I not just have them all on the dmz to save memory? The reason I'm asking is because firewalld now using 3% of 2gigs more memory then when I was testing with just one zone.

Also after installing modsecurity and the owasp crs my memory usage jumped 7% with 237mb of it cached, is that a lot of usage or is that normal?

aks
Posts: 2936
Joined: 2014/09/20 11:22:14

Re: Firewalld and modsecurity owasp crs question.

Post by aks » 2014/10/16 17:41:32

The first rule of memory is ..... the majority of it should be used 100% of the time - after all you paid for it, so why not use it? If you have eveidence of the core of program occupying more RAM than is reasonable for it's function (aka bloat-ware) then I'd suggest putting a comment on the website of that specific program.
Just to note, IPTables & FirewallD are seperate programs that perform the same functionality. Upstream probably left IPTables in there because many customers probably already have several IPTables scripts in use on prodution systems (I don't KNOW that, but it is a reasonable guess). One of the attractions of FirewallD is that it hooks into the bus and is much more dynamic thatn IPTables.

Regards

RRMedia
Posts: 16
Joined: 2014/10/12 00:12:46

Re: Firewalld and modsecurity owasp crs question.

Post by RRMedia » 2014/10/16 20:08:44

aks wrote:The first rule of memory is ..... the majority of it should be used 100% of the time - after all you paid for it, so why not use it? If you have eveidence of the core of program occupying more RAM than is reasonable for it's function (aka bloat-ware) then I'd suggest putting a comment on the website of that specific program.
Just to note, IPTables & FirewallD are seperate programs that perform the same functionality. Upstream probably left IPTables in there because many customers probably already have several IPTables scripts in use on prodution systems (I don't KNOW that, but it is a reasonable guess). One of the attractions of FirewallD is that it hooks into the bus and is much more dynamic thatn IPTables.

Regards
Thanks for getting back to me. I understand that iptables is a different firewall, I only mention it to state that I was trying to stay away from learning iptables and deactivating it like a lot of websites say to do. What I was wondering if that spike was usual when running two zones and if I could just get away with one zone since I'm not using the loopback or network features.

Also if it was usual for mod security with crs to consume a lot of ram, like more then my os, firewalld, and fail2ban combined.

My math is off so here is how the usage climbed:
one zone and fail2ban: 4.46%
Two zones and fail2ban: 7.68%
Two zones, fail2ban and mod security: 12.25%
Httpd is disabled for all settings.

aks
Posts: 2936
Joined: 2014/09/20 11:22:14

Re: Firewalld and modsecurity owasp crs question.

Post by aks » 2014/10/17 16:29:21

So how are you measuring the usage of each process and it's subprocesses? If you're just taking an output of something like free, ythen you do not know if that memory consumption is down to that particular process/process set. Do you include VSS in this or is this just RES?

On a 2GB system, your numbers indicate (unless I can't do aritmatic):
4.46%: 91.34080 MB
7.68%: 157.28640 MB - or an increase of 65.945 MB
12.25%: 250.88 MB - or an increase of 93.59360 MB

The binary file size will tell you how much memory each process comsumes (so if a process has multiple copies of itself multiply by that number).

"Httpd is disabled for all settings." - I don't know what this means.

RRMedia
Posts: 16
Joined: 2014/10/12 00:12:46

Re: Firewalld and modsecurity owasp crs question.

Post by RRMedia » 2014/10/17 21:10:56

aks wrote:So how are you measuring the usage of each process and it's subprocesses? If you're just taking an output of something like free, ythen you do not know if that memory consumption is down to that particular process/process set. Do you include VSS in this or is this just RES?

On a 2GB system, your numbers indicate (unless I can't do aritmatic):
4.46%: 91.34080 MB
7.68%: 157.28640 MB - or an increase of 65.945 MB
12.25%: 250.88 MB - or an increase of 93.59360 MB

The binary file size will tell you how much memory each process comsumes (so if a process has multiple copies of itself multiply by that number).
I use a combination of tools to view my processes and usage live, firewalld is my biggest user and nothing is really using a lot of memory by itself but my total has been consistently climbing with every tool that I install...it appears that most of my memory is just cached.
aks wrote: "Httpd is disabled for all settings." - I don't know what this means.
I just meant that there was no web server app running for any of the settings.

aks
Posts: 2936
Joined: 2014/09/20 11:22:14

Re: Firewalld and modsecurity owasp crs question.

Post by aks » 2014/10/18 17:30:32

Okay so you're concerned that the system is using main memory to cache data? Don't be. Most of my systems have some megs free (I think like a 100 or so, but that's from memory).

RRMedia
Posts: 16
Joined: 2014/10/12 00:12:46

Re: Firewalld and modsecurity owasp crs question.

Post by RRMedia » 2014/10/18 17:46:57

aks wrote:Okay so you're concerned that the system is using main memory to cache data? Don't be. Most of my systems have some megs free (I think like a 100 or so, but that's from memory).
Yes I was growing a bit worried about the usage, it appears that after a reboot my usage dropped to 130mb with 70mg cached. Thanks for the help.

Post Reply

Return to “CentOS 7 - Security Support”