On 08/22/2017 08:24 AM, John Griffiths wrote:
Thank you for the reply although I am not completely clear on what you are saying since part seems to be a question.
Using direct was the only way to use ipsets when I started using them with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
Also, ipsets that were members of a "super" ipset would have the ips in those sets found by referencing the "super" ipset as I explained in my original post to the list. That seems to be no longer the case. Is that by intent? Is that a change in ipset or in firewalld?
I already use the FedoraServer zone. I can't have two zones active. So, creating a zone that drops always would defeat the current zone I am using.
I want to use firewalld as intended, but at rev 0.4.4.5, the software is, as would be expected, in flux and the documentation is sparse and lags development. The section on ipsets is particularly sparse.
I have over 500 ips that I want black listed. At one time, when my system was under heavy attack, I had over 4000. I have programs that dynamically add and delete ips from ipsets based on how persistent the abuse from the ip.
The direct method of firewalld was working quite well. Now it is not blocking any of the ips that I want to black list.
I guess I could go back to iptables, but that is not my first choice, but I must get the blocking of ips working soon.
I hope I can get some help with this.
Regards,
John
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Have you tried Fail2Ban? It works with firewalld.
Cheers,
JonRam