Improve CSF with ipset

Servers running iptables with CSF firewall can become slow while processing the sometimes hundreds of IP addresses in CSF's iptables chains. You can avoid this by installing and configuring ipset.

IP sets are a framework inside the Linux kernel that can store IP addresses, networks, TCP/UDP port numbers, MAC addresses - or combinations of some/all of the prior. These IP sets are stored in a fast and efficient manor that allows for quick access and searching, plus seamless updates to the IP sets without having to reload iptables.

To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:

sudo yum install ipset -y


Or for an apt based Linux distro like Ubuntu or Debian, run:

sudo apt-get install ipset -y


Once ipset and its necessary supporting packages are installed, we need to tell CSF that ipset is available and ready to be used. We want to edit CSF's main config file:

nano /etc/csf/csf.conf

Then, we want to search for the lf_ipset line to make our changes:

CTRL+W to search in nano
Type lf_ipset and hit return

Alter the lf_ipset line to look like this:

LF_IPSET = "1"

Now we want to save our changes and exit nano:

CTRL+X then type Y and hit return


And finally, we need to reload CSF and LFD to apply our changes:

csf -r

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

GRE tunnel

Prerequisites iptables installed on your VPS (included already in most cases)...

Anti DDoS server settings

You can tune your server to avoid slowdown during an attack.We recommend to set this only if you...

Invalid SSL cert

During an ddos attack you might notice an invalid SSL cert. This happens as the L7 filter changes...

Anti-DDoS Filter settings

If you see this error:502 - BAD GATEWAYAnti-DDoS Filter cannot connect to protected host.Most...

DDoS Protection Description and Control (Romania only)

DDoS Protection What are DDoS attacks? Having a dedicated IP that comes with purchasing a VPS...