Is it possible to have firewalld create an bitmap:port type ipset so it can be used as part of rich-rules?
6:06 a.m.
Hello, I have had a 'hybrid' firewall setup largely based on firewalld
(backend=iptables) where I add some iptables rules after the firewalld rules have loaded
(which is an ugly and fragile setup).
During my attempts to integrate everything into the firewalld framework to get rid of the
ugly manual iptables rules adding, I run into a problem with an ipset that is used.
I would like to add an ipset of the type bitmap:port to the firewalld configuration so it
can be used as part of some rich rules I will be creating. The ipset will contain a bunch
of (tcp) ports that will cause a rule to create logging every time any of those
destination ports see network traffic. The idea is to have a tripwire/'honeypot'
facility to become aware of attempts to connect to ports like 23(telnet) and 443 (https)
etc., but for a very long, and regularly changing list of ports.
As is clear per "firewall-cmd --get-ipset-types" this ipset type is not
supported. IS there any way to 'integrate' my intended rich rules which depend on
an bitmap:port type ipset?
7:52 a.m.
New subject: Is it possible to have firewalld create an bitmap:port type
ipset so it can be used as part of rich-rules?
On Mon, Oct 31, 2022 at 11:06:45AM -0000, Ferry de Jong wrote:
Hello, I have had a 'hybrid' firewall setup largely based on
firewalld
(backend=iptables) where I add some iptables rules after the firewalld
rules have loaded (which is an ugly and fragile setup). During my
attempts to integrate everything into the firewalld framework to get
rid of the ugly manual iptables rules adding, I run into a problem
with an ipset that is used.
I would like to add an ipset of the type bitmap:port to the firewalld
configuration so it can be used as part of some rich rules I will be
creating. The ipset will contain a bunch of (tcp) ports that will
cause a rule to create logging every time any of those destination
ports see network traffic. The idea is to have a tripwire/'honeypot'
facility to become aware of attempts to connect to ports like
23(telnet) and 443 (https) etc., but for a very long, and regularly
changing list of ports.
As is clear per "firewall-cmd --get-ipset-types" this ipset type is
not supported. IS there any way to 'integrate' my intended rich rules
which depend on an bitmap:port type ipset?
Could you use ipset type "hash:net,port". Then use "0.0.0.0/8" in
place
of the "net" ? Not sure if this will work as expected.
I think adding support for "bitmap:port" to firewalld makes sense.
Please file a feature request on github [1].
[1]: https://github.com/firewalld/firewalld/issues
8:35 a.m.
New subject: Is it possible to have firewalld create an bitmap:port type ipset
so it can be used as part of rich-rules?
Could you use ipset type "hash:net,port". Then use
"0.0.0.0/8" in place
of the "net" ? Not sure if this will work as expected.
Did you mean to suggest using 0.0.0.0/0 (you wrote 0.0.0.0/8)? If you did, that will not
work as a work around as ipset type hash:net,port does not allow zero prefix size entries
for "net".
545
days inactive
545
days old
firewalld-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Eric Garver -
Ferry de Jong