On 8/22/2017 7:24 AM, John Griffiths wrote:
Thank you for the reply although I am not completely clear on what you are saying since part seems to be a question.
I'm not a firewalld or ipset expert myself. I'm also learning and passing on my understanding of how it works. I'm using them with CentOS 7, a sister OS to Fedora.
Using direct was the only way to use ipsets when I started using them with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
They can. But you can now declare a zone that has a source of an ipset.
Also, ipsets that were members of a "super" ipset would have the ips in those sets found by referencing the "super" ipset as I explained in my original post to the list. That seems to be no longer the case. Is that by intent? Is that a change in ipset or in firewalld?
I'm not familiar with hiearchical ipsets.
I already use the FedoraServer zone. I can't have two zones active. So, creating a zone that drops always would defeat the current zone I am using.
You can have as many zones as you have memory to hold. A zone is a policy, destinations, and a group of sources, which could be interfaces or source addresses. For this case, add an additional zone that just contains an ipset source. Call it blacklist.
# create a new zone named blacklist firewall-cmd --permanent --new-zone=blacklist firewall-cmd --permanent --zone=blacklist --set-target=DROP # create a new ipset named blacklist firewall-cmd --permanent --new-ipset=blacklist --type=hash:net # set the blacklist ipset as the source of the blacklist zone firewall-cmd --permanent --zone=blacklist --add-source=ipset:blacklist # the above changes the config files, now reload them to make them take effect firewall-cmd --reload
Here's a blog article that helped me get my head around this: