On 08/23/2013 01:01 AM, John Griffiths wrote:
Thomas,
Thank you.
IPSETS are new to me to as well.
iptables was fairly straight forward.
I know that Fedora is a somewhat bleeding edge distribution, but it
seems sometimes things are changed just for the sake of change. I am a
great believer in "if it isn't broken, don't fix it." Oh well, it is
what it is. And I am greatful to all who do the hard work in the Fedora
community. I contribute as I can.
Just to clarify, I could add IPs to the drop zone with my network
interface in the home or work or some other zone and the drop zone would
be checked first and any sources found in the drop zone would be
disconnected before hitting the other zones. That is, if ssh is enabled
in home and a host in the drop zone tried to connect using ssh, the host
would not be able to connect. Is that correct?
If a source address is bound to a zone, this will be checked first.
Other zones are checked later on if the packed has not been dropped or
rejected in the zone.
If you have source address ranges and also sub areas and single
addresses from these ranges, then this is currently not solved
completely. This is something we have to work on to get this properly
ordered also: Deny then allow. At the moment this is first added first
served.
Also another bit of clarification, you state that the ipset can be
modified while in use by firewalld. Do I understand correctly that if I
create an ipset and add a rule to firewalld to drop the IPs in the ipset
and I add an IP or delete and IP from the ipset while firewalld is using
it, firewalld will start or stop dropping the IP without having to
reload firewalld?
Yes, the ipset is used in netfilter (kernel) directly. If you modify the
set the change is effective immediately. Without the need of any change
to or by firewalld.
Sorry if I am being a bit in need of hand holding, but we are
talking
about the security of a server. Right now I am working on the inactive
server, but I want to have a better understanding before I use firewalld
on a live server.
No probelm, you are welcome.
A suggestion would to make note of all the noob questions like mine
and
add or change the documentation to make the points more clear.
Yes, that is a very good idea.
Thanks,
John
Regards,
Thomas