2

I'm running a low-RAM VPS with CentOS 8. I've noticed that firewalld service uses way too much RAM (up to 20%). So I guess it may be better to switch to use only built-in nftables.

I'm quite familiar with old iptables as well as firewalld syntax. However, I'm not familiar with nftables syntax and configuration (and currently I cannot afford learning it and manual rewrite due to time restrictions).

Is it possible to export existing firewalld rules so nftables would be using them "directly" and it will be possible to completely disable firewalld service?

P.S. Will it be possible for fail2ban to work with nftables directly in such configuration?

EDIT: It's not a question of budget/RAM increase. This VM is running on existing on-premise infrastructure, without spare resources left, so its RAM is limited to 256MB (OpenVZ), and, unfortunately, cannot be easily enlarged - without updating the infrastructure, but it's out of my sphere of responsibility (and rebuilding the infrastructure will require way more time than simply exporting configuration from firewalld to nftables).

Currently it's running OK, but uses almost all RAM, so I'm looking for ways to optimize it. AFAIK, firewalld is just a front-end to nftables, so my idea is to use it only for configuration, and leave the main job to nftables - if that's possible.

simon
  • 161
  • 6
  • For CentOS 8 you need at least 1GB of RAM+swap just to update the system's packages while running whatever your workload is, and not running out of memory. Having anything less than that, you're going to run into trouble with something sooner or later. And your low end VPS should have at least that much RAM or you're probably paying too much. If you're on an extreme budget, see https://lowendbox.com/ – Michael Hampton Nov 08 '20 at 06:27
  • @MichaelHampton, thank you for you suggestions. I've edited the question to be more specific. – simon Nov 08 '20 at 07:43
  • 3
    Ouch. 256MB is just not enough to even maintain the system. And the cost of your labor to try to "optimize" this is probably orders of magnitude more than the cost of simply upgrading the server's memory. And that's not even getting into what a bad idea OpenVZ is. – Michael Hampton Nov 08 '20 at 09:02

1 Answers1

3

I'm not familiar with nftables syntax and configuration (and currently I cannot afford learning it and manual rewrite due to time restrictions).

Keep firewalld if you are not going to learn nftables. Risking a misconfigured firewall is not worth what might be merely tens of MB of RAM savings. Hopefully, your time is valuable enough where you can justify renting a VM with slightly more resources, and be done with it. (If that's even necessary, I'm not convinced you have a performance problem.)

Firewall rules are not a one time thing, eventually they will need updating. How are you going to ensure that 6 months from now, this write firewalld and convert process will be followed?

EPEL 8 fail2ban-firewalld package is naturally firewalld based. Easy enough to switch to a nftables based jail, but that is still a configuration you will want to test.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thanks! My original idea was to use `firewalld` only for configuration (initial and further updates), and to leave the main job to `nftables` - if that's possible. I've edited the question to be more specific. – simon Nov 08 '20 at 07:47