On Mon, Oct 31, 2022 at 11:06:45AM -0000, Ferry de Jong wrote:
Hello, I have had a 'hybrid' firewall setup largely based on
firewalld
(backend=iptables) where I add some iptables rules after the firewalld
rules have loaded (which is an ugly and fragile setup). During my
attempts to integrate everything into the firewalld framework to get
rid of the ugly manual iptables rules adding, I run into a problem
with an ipset that is used.
I would like to add an ipset of the type bitmap:port to the firewalld
configuration so it can be used as part of some rich rules I will be
creating. The ipset will contain a bunch of (tcp) ports that will
cause a rule to create logging every time any of those destination
ports see network traffic. The idea is to have a tripwire/'honeypot'
facility to become aware of attempts to connect to ports like
23(telnet) and 443 (https) etc., but for a very long, and regularly
changing list of ports.
As is clear per "firewall-cmd --get-ipset-types" this ipset type is
not supported. IS there any way to 'integrate' my intended rich rules
which depend on an bitmap:port type ipset?
Could you use ipset type "hash:net,port". Then use "0.0.0.0/8" in
place
of the "net" ? Not sure if this will work as expected.
I think adding support for "bitmap:port" to firewalld makes sense.
Please file a feature request on github [1].
[1]:
https://github.com/firewalld/firewalld/issues