Skip to main content

CWP : Improve CSF iptables performance with IPSET

CSF (ConfigServer Firewall) on a Linux system and you block a lot of IP addresses. Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.

This option allows you to use ipset v6+ for the following csf options:
CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,

ipset will only be used with the above options when listing IPs and CIDRs. Advanced Allow Filters and temporary blocks use traditional iptables. To use this option you must have a fully functioning installation of ipset installed either via rpm or source from

It’s a straight forward process. CentOS, Red Hat and Fedora (yum based) users :
# yum install ipset -y
Ubuntu or Debian:
# sudo apt-get install ipset -y
Once ipset and its necessary supporting packages are installed, we need to tell CSF that ipset is available and ready to be used. We want to edit CSF's main config file:
# vi /etc/csf/csf.conf
LF_IPSET = "1"

:x ( save & close )
Reload CSF and LFD to apply our changes:
# csf -r
This article based: