On 01/24/2014 08:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
We do not have support for direct chains/rules within zones right now. You can use the direct interface to add rules also to zones. It is not forbidden, but you have to take care that you are not damaging other rules by doing so.
I want to dynamically add IPs to the firewall to drop. I run a script that parses log files to find IPs that are abusing the system and drop them. Currently I am stuck on Fedora 16 on the active server because of familiarity with iptables. I really want to move to Fedora 20, but I need to adapt my script to use firewalld before I do.
I'll be glad to read the documentation, but a hand up and a point in the right direction would be appreciated.
Regards, John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
It is good to go in this direction for separation, but it is not a requirement.
I will be having a look at network address sets (ipset) support in firewalld again. I am also thinking about the possibility to support externally generated ipsets.
Regards, John _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas