8

I've bought a 512MB VPS @ DigitalOcean. Currently, I use Firewalld to allow/deny access to certain ports (probably 22, 80, 443 are open). It uses around 25-30MB of memory.

EDIT: Not to forget that I've only 489MB of usable memory out of which 50MB is already used. So if I switch to someother light-weight alternative, I would probably save 15-20MB.

So, is it really necessary to use Firewalld? Or can I use something like iptables (I've never used it before BTW). Is there any major difference between the two? How do I configure iptables to close all ports except port 22, 80, 443?

I'm asking because I even have to consider server security. Because one cannot compromise server security just to save few MBs.

I've read this thread, it says

if possible, you should use the new firewalld system

2 Answers2

9

Yes, you can use the old system. It's not less secure than firewalld (provided you write your firewall rules correctly). It also doesn't run a daemon, so it's not using a (relatively) large amount of your limited RAM.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 1
    OK. Thanks Michael Hampton. I'll go with iptables then. Can you please help me with iptables rules on Fedora 21 x64 or point me to any good guide? I probably want to open only port 22, 80, 443 and block every other. I've IPv6 on my server too. Thanks. –  Mar 22 '15 at 19:22
  • 1
    if you go [here](https://www.google.ca/webhp?ion=1&espv=2&es_th=1&ie=UTF-8#q=iptables+firewall) it should help you find what you're looking for. – GregL Mar 23 '15 at 11:50
  • 1
    Thanks GregL. I also read that nftables is going to replace iptables in future. Is nftables ready for production use? I'm using Linux Kernel 3.19.1 right now from Official Fedora and it has nftables support. –  Mar 23 '15 at 12:51
0

Just googled trough the internet to look for replacement candidates for my 15 years old solution called shorewall. Stumbled over firewalld and this thread... finding dbus, a daemon and XML. Seems like Red Hat catches us all: NetworkManager and systemd, just to name a few.

So looking for a professional solution on memory constrained systems, shorewall is the right one: no daemon, plain text config. Works even on openwrt (your rouer/access point etc). Of course it's overkill for a host firewall with just 3 rules, but hey it will work.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
AlfZi
  • 1