--On Friday, August 18, 2017 12:38 PM -0400 John Griffiths fedora.jrg01@grifent.com wrote:
This was working until I upgraded to Fedora 26 from Fedora 24. Now, even though an IP is in one of the member iplists, blacklist_ipv4_semipermanent or one of the others, firewalld does not block the IP.
I do not know if this is an issue with ipsets or firewalld, nor do I know whether this is a "feature" or a bug.
Since these ipsets are modified dynamically and need to be accessed from bash scripts, using the internal ipset functionality of firewalld is not my desired choice.
Is it acceptable to let firewalld create the ipset, but maintain its contents outside it? Just make sure your management processes are set to start after firewalld starts and creates the ipset.
Instead of a direct rule, create a zone that drops always and specify that zone's source as the ipset.