I want to add a "blacklist" or "blocklist" that would allow me to add
country codes (cn.zone for example) and also be able to add individual ip addresses.
I tried:firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip,port,net
--option=family=inet --option=hashsize=4096 --option=maxelem=200000
firewall-cmd --reload
This did not give me an error until I tried to add cn.zone
firewall-cmd --permanent --ipset=blacklist
--add-entries-from-file=/root/install/country-codes/ipv4/cn.zone
I got: }}}, {"add": {"rule": {"family": "ip6",
"table": "firewalld", "chain": "nat_POST_public",
"expr": [{"jump": {"target":
"nat_POST_public_post"}}]}}}, {"insert": {"rule":
{"family": "ip", "table": "firewalld",
"chain": "nat_POSTROUTING_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"nat_POST_public"}}]}}}, {"insert": {"rule":
{"family": "ip6", "table": "firewalld",
"chain": "nat_POSTROUTING_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"nat_POST_public"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_INPUT_ZONES", "expr": [{"match":
{"left": {"meta": {"key": "iifname"}},
"op": "==", "right": "ens3"}}, {"goto":
{"target": "filter_IN_public"}}]}}}, {"insert":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FORWARD_IN_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "iifname"}}, "op": "==",
"right": "ens3"}}, {"goto": {"target":
"filter_FWDI_public"}}]}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public_pre"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name": "filter_FWDO_public_log"}}},
{"add": {"chain": {"family": "inet",
"table": "firewalld", "name":
"filter_FWDO_public_deny"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_FWDO_public_allow"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name": "filter_FWDO_public_post"}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_FWDO_public", "expr": [{"jump": {"target":
"filter_FWDO_public_pre"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FWDO_public", "expr": [{"jump":
{"target": "filter_FWDO_public_log"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FWDO_public",
"expr": [{"jump": {"target":
"filter_FWDO_public_deny"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FWDO_public", "expr": [{"jump":
{"target": "filter_FWDO_public_allow"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "filter_FWDO_public",
"expr": [{"jump": {"target":
"filter_FWDO_public_post"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FORWARD_OUT_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"ens3"}}, {"goto": {"target":
"filter_FWDO_public"}}]}}}]}Error: INVALID_IPSET: ipset type '' not
usable
If I can't add ip, port and net at once, could someone tell me how I could add country
codes as well as single ip addresses to blacklist or blocklist?
TIA!