Improve CSF with ipset

Servers running iptables with CSF firewall can become slow while processing the sometimes hundreds of IP addresses in CSF's iptables chains. You can avoid this by installing and configuring ipset.

IP sets are a framework inside the Linux kernel that can store IP addresses, networks, TCP/UDP port numbers, MAC addresses - or combinations of some/all of the prior. These IP sets are stored in a fast and efficient manor that allows for quick access and searching, plus seamless updates to the IP sets without having to reload iptables.

To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:

sudo yum install ipset -y

Or for an apt based Linux distro like Ubuntu or Debian, run:

sudo apt-get install ipset -y

Once ipset and its necessary supporting packages are installed, we need to tell CSF that ipset is available and ready to be used. We want to edit CSF's main config file:

nano /etc/csf/csf.conf

Then, we want to search for the lf_ipset line to make our changes:

CTRL+W to search in nano
Type lf_ipset and hit return

Alter the lf_ipset line to look like this:

LF_IPSET = "1"

Now we want to save our changes and exit nano:

CTRL+X then type Y and hit return

And finally, we need to reload CSF and LFD to apply our changes:

csf -r

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Anti-DDoS Filter settings

If you recive this error:502 - BAD GATEWAYAnti-DDoS Filter cannot connect to protected host.Most...

GRE tunnel

Prerequisites iptables installed on your VPS (included already in most cases)...


Be advised that you cant use Cloudflare and our ddos filter together so not to use Cloudflare.In...

Anti DDoS server settings

You can also tune your server to avoid slowdown during an attack.We recommend to set this only if...

Invalid SSL cert

During an ddos attack you might notice an invalid SSL cert. This happens as the L7 filter changes...