Thank you for the reply although I am not completely clear on what you are saying since part seems to be a question.
Using direct was the only way to use ipsets when I started using them with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
Also, ipsets that were members of a "super" ipset would have the ips in those sets found by referencing the "super" ipset as I explained in my original post to the list. That seems to be no longer the case. Is that by intent? Is that a change in ipset or in firewalld?
I already use the FedoraServer zone. I can't have two zones active. So, creating a zone that drops always would defeat the current zone I am using.
I want to use firewalld as intended, but at rev 0.4.4.5, the software is, as would be expected, in flux and the documentation is sparse and lags development. The section on ipsets is particularly sparse.
I have over 500 ips that I want black listed. At one time, when my system was under heavy attack, I had over 4000. I have programs that dynamically add and delete ips from ipsets based on how persistent the abuse from the ip.
The direct method of firewalld was working quite well. Now it is not blocking any of the ips that I want to black list.
I guess I could go back to iptables, but that is not my first choice, but I must get the blocking of ips working soon.
I hope I can get some help with this.
Regards,
John
On 8/22/2017 7:24 AM, John Griffiths wrote:
Thank you for the reply although I am not completely clear on what you are saying since part seems to be a question.
I'm not a firewalld or ipset expert myself. I'm also learning and passing on my understanding of how it works. I'm using them with CentOS 7, a sister OS to Fedora.
Using direct was the only way to use ipsets when I started using them with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
They can. But you can now declare a zone that has a source of an ipset.
Also, ipsets that were members of a "super" ipset would have the ips in those sets found by referencing the "super" ipset as I explained in my original post to the list. That seems to be no longer the case. Is that by intent? Is that a change in ipset or in firewalld?
I'm not familiar with hiearchical ipsets.
I already use the FedoraServer zone. I can't have two zones active. So, creating a zone that drops always would defeat the current zone I am using.
You can have as many zones as you have memory to hold. A zone is a policy, destinations, and a group of sources, which could be interfaces or source addresses. For this case, add an additional zone that just contains an ipset source. Call it blacklist.
# create a new zone named blacklist firewall-cmd --permanent --new-zone=blacklist firewall-cmd --permanent --zone=blacklist --set-target=DROP # create a new ipset named blacklist firewall-cmd --permanent --new-ipset=blacklist --type=hash:net # set the blacklist ipset as the source of the blacklist zone firewall-cmd --permanent --zone=blacklist --add-source=ipset:blacklist # the above changes the config files, now reload them to make them take effect firewall-cmd --reload
Here's a blog article that helped me get my head around this:
On 08/22/2017 08:24 AM, John Griffiths wrote:
Thank you for the reply although I am not completely clear on what you are saying since part seems to be a question.
Using direct was the only way to use ipsets when I started using them with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
Also, ipsets that were members of a "super" ipset would have the ips in those sets found by referencing the "super" ipset as I explained in my original post to the list. That seems to be no longer the case. Is that by intent? Is that a change in ipset or in firewalld?
I already use the FedoraServer zone. I can't have two zones active. So, creating a zone that drops always would defeat the current zone I am using.
I want to use firewalld as intended, but at rev 0.4.4.5, the software is, as would be expected, in flux and the documentation is sparse and lags development. The section on ipsets is particularly sparse.
I have over 500 ips that I want black listed. At one time, when my system was under heavy attack, I had over 4000. I have programs that dynamically add and delete ips from ipsets based on how persistent the abuse from the ip.
The direct method of firewalld was working quite well. Now it is not blocking any of the ips that I want to black list.
I guess I could go back to iptables, but that is not my first choice, but I must get the blocking of ips working soon.
I hope I can get some help with this.
Regards,
John
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Have you tried Fail2Ban? It works with firewalld.
Cheers,
JonRam
firewalld-users@lists.fedorahosted.org