What are IPsets?
IPset is an extension to iptables which allows the creation of firewall rules that reference a set of addresses all at once, rather than requiring the creation of many individual rules. Unlike normal iptables rules which are stored and traversed linearly, IPsets are stored as indexed data structures, making lookups very efficient, even when dealing with a large number of addresses.[1]
The VNS3 firewall acts as a wrapper around the conventional IPTables syntax. The syntax used is a slight variation for optimization and organization purposes. To highlight the distinction, we use the term FWsets when referring to VNS3’s implementation of IPsets.
Advantages of Using FWsets
FWsets tremendously decrease the CPU load of iptables. FWsets can be referenced in any firewall chain or table, making them a versatile tool which can be used in many types of rules and environments. You can easily add or remove addresses from an FWset with two simple API calls.
Creating lengthy Firewall rules in VNS3 can get messy when referencing many address or networks. Â
By utilizing FWsets, your firewall can be much easier to organize and manage.
FVNFWThe graph above illustrates the improvement in latency when using FWsets compared to conventionally specified lists of IPs in your firewall. FWset response time (shown in red above) is consistently quick even with 400k+ IPs defined in your FWset. In testing a larger FWset with 1 million IP’s we found no noticeable increase in latency, measuring a consistent response time of under two milliseconds across the board.
Get Started with FWsets in VNS3
Via the VNS3 API you can create, retrieve, reload, add to, and delete FWsets. Once an FWset is created, you can refer to it in VNS3 firewall rules using the “-m set” module.
Here is a short guide on how to implement FW sets with the VNS3 API.
Here is the documentation for the VNS3 FW Sets API.
If you have any questions, please reach out to Cohesive Support at support.cohesive.net or via email: support@www.cohesive.net.