Results 1 to 6 of 6

Thread: UFW performance with a large number of rules?

  1. #1
    Join Date
    Jul 2006
    Location
    Rotterdam, Netherlands
    Beans
    163
    Distro
    Ubuntu 10.04 Lucid Lynx

    UFW performance with a large number of rules?

    Because of spam, hack attempts, SSH brute force attacks, etc., I am trying to block all access from China.
    I have a list of all IP ranges belonging to China in CIDR notation, and adding these to UFW will result in over 2500 new rules.

    Will this large number of UFW rules have a big impact on my servers performance?

  2. #2
    Join Date
    Oct 2007
    Beans
    338

    Re: UFW performance with a large number of rules?

    As your firewall grows it is possible for bandwidth to slow a bit depending on your setup and the number of services your filtering and the number of nodes on your network. Is this a stand alone firewall or more likely shared with a web server? I have a firewall setup, iptables with a large ruleset and have blocked more than 32000 CIDR addresses for China, Asia, Pakistan, Korea (more)Etc and I have not personally noticed any performance issues or network/bandwidth issues. Here is a link for reference with some guidelines on cpu throughput info and is intended to be a stand alone firewall.
    http://www.pfsense.org/index.php?opt...d=52&Itemid=49

    Chad
    Last edited by chadk5utc; December 1st, 2012 at 10:09 PM.

  3. #3
    Join Date
    Sep 2011
    Beans
    1,531

    Re: UFW performance with a large number of rules?

    I take it you're not behind a router?

    It helps to cut down on the brute force attacks if you run your ssh server on a random high port instead of 22. It isn't really a security measure, but more bots seem to scan & brute force the passwords on port 22 in my experience.

  4. #4
    Join Date
    Jul 2006
    Location
    Rotterdam, Netherlands
    Beans
    163
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: UFW performance with a large number of rules?

    Quote Originally Posted by Ms. Daisy View Post
    I take it you're not behind a router?

    It helps to cut down on the brute force attacks if you run your ssh server on a random high port instead of 22. It isn't really a security measure, but more bots seem to scan & brute force the passwords on port 22 in my experience.
    It's not just SSH, I am more concerned about hacks against Wordpress, Drupal, a forum, the mail service and so on. And of course the blog and forum spam.

    Quote Originally Posted by chadk5utc View Post
    As your firewall grows it is possible for bandwidth to slow a bit depending on your setup and the number of services your filtering and the number of nodes on your network. Is this a stand alone firewall or more likely shared with a web server? I have a firewall setup, iptables with a large ruleset and have blocked more than 32000 CIDR addresses for China, Asia, Pakistan, Korea (more)Etc and I have not personally noticed any performance issues or network/bandwidth issues. Here is a link for reference with some guidelines on cpu throughput info and is intended to be a stand alone firewall.
    http://www.pfsense.org/index.php?opt...d=52&Itemid=49

    Chad
    Thanks!
    It's a web server, so it runs Apache, a few databases, a few web sites and a mail server. I will try it first with a small set of rules and see what happens. If there's no noticable impact, I will add more blocks.

  5. #5
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,588
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: UFW performance with a large number of rules?

    I block spam at the mail server itself rather than with iptables. I do have some scripts that scan logs to see which IP addresses are sending lots of spam and then adds iptables rules to block those specific addresses. I use sendmail rather than postfix, so I cannot tell you how to configure it to block Chinese senders. In sendmail you can add rules to /etc/mail/access that block SMTP senders by domain. "Wrapping" the SMTP server in xinetd and using /etc/hosts.[allow|deny] rules is another option.

    You can also establish access rules in Apache. You can block all hosts in the .cn domain like this:

    Code:
    <Directory "/var/www">
        [stuff]
        deny from .cn
    </Directory>
    Most server applications give you control over access. If you have an especially balky one, there is always xinetd.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: UFW performance with a large number of rules?

    Quote Originally Posted by Johan! View Post
    I have a list of all IP ranges belonging to China in CIDR notation, and adding these to UFW will result in over 2500 new rules. Will this large number of UFW rules have a big impact on my servers performance?
    If you're concerned about the impact of large rule sets there's no reason why you shouldn't be able to test it yourself (virtualization, Jperf), do think about rule placement (raw table, "-J NOTRACK"), regularly refresh ranges (assignments not static, they change over time) and have a look at ipset: because with ipset filtering your .cn TLD efficiently and maintenance-friendly requires only one iptables rule.

    More than that though...


    Quote Originally Posted by Johan! View Post
    Because of spam, hack attempts, SSH brute force attacks, etc., I am trying to block all access from China.
    Do question the validity of what you're doing in terms of (mis)perception and (in)efficiency. If you combine nfo on attacks you've seen in the past with insights from say Project Honeypot, Stop Forum Spam, Dancho Danchev and Arbor Networks you'll find China, the US and Russia remain top three TLDs but you may also see for instance a TLD like India moving up wrt spam only. And if you tally attack activity more specifically you may find that within a TLD some ASNs cause ninety nine per cent of the trouble and the same goes for ranges within a single ASN. By all means, block ranges if it makes you feel good, but do focus on things that matter. Ensure you have Linux admin knowledge: a web-based management panel is not a substitute. Invest in proper host and service hardening (which should include passing up on "security by obscurity" for using tools like fail2ban, checking SANS and OWASP checklists and knowing when to block hostile activity at the application level with say mod_security instead of using access rules and when to block attacks at the network level). Realize security, like maintenance, is a continuous process: don't run or allow access to what is not needed, update when updates are released, make regular backups, read reports and regularly audit the machine locally and from remote (as in OpenVAS or equivalent, not nmap). Should you have time to spare try to learn from Real Life compromises.
    Anticipate, remain vigilant and most of all have fun.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •