Hello, I have had a 'hybrid' firewall setup largely based on firewalld (backend=iptables) where I add some iptables rules after the firewalld rules have loaded (which is an ugly and fragile setup). During my attempts to integrate everything into the firewalld framework to get rid of the ugly manual iptables rules adding, I run into a problem with an ipset that is used.
I would like to add an ipset of the type bitmap:port to the firewalld configuration so it can be used as part of some rich rules I will be creating. The ipset will contain a bunch of (tcp) ports that will cause a rule to create logging every time any of those destination ports see network traffic. The idea is to have a tripwire/'honeypot' facility to become aware of attempts to connect to ports like 23(telnet) and 443 (https) etc., but for a very long, and regularly changing list of ports.
As is clear per "firewall-cmd --get-ipset-types" this ipset type is not supported. IS there any way to 'integrate' my intended rich rules which depend on an bitmap:port type ipset?
On Mon, Oct 31, 2022 at 11:06:45AM -0000, Ferry de Jong wrote:
Hello, I have had a 'hybrid' firewall setup largely based on firewalld (backend=iptables) where I add some iptables rules after the firewalld rules have loaded (which is an ugly and fragile setup). During my attempts to integrate everything into the firewalld framework to get rid of the ugly manual iptables rules adding, I run into a problem with an ipset that is used.
I would like to add an ipset of the type bitmap:port to the firewalld configuration so it can be used as part of some rich rules I will be creating. The ipset will contain a bunch of (tcp) ports that will cause a rule to create logging every time any of those destination ports see network traffic. The idea is to have a tripwire/'honeypot' facility to become aware of attempts to connect to ports like 23(telnet) and 443 (https) etc., but for a very long, and regularly changing list of ports.
As is clear per "firewall-cmd --get-ipset-types" this ipset type is not supported. IS there any way to 'integrate' my intended rich rules which depend on an bitmap:port type ipset?
Could you use ipset type "hash:net,port". Then use "0.0.0.0/8" in place of the "net" ? Not sure if this will work as expected.
I think adding support for "bitmap:port" to firewalld makes sense. Please file a feature request on github [1].
Could you use ipset type "hash:net,port". Then use "0.0.0.0/8" in place of the "net" ? Not sure if this will work as expected.
Did you mean to suggest using 0.0.0.0/0 (you wrote 0.0.0.0/8)? If you did, that will not work as a work around as ipset type hash:net,port does not allow zero prefix size entries for "net".
firewalld-users@lists.fedorahosted.org