Thanks Anthony.

On 01/25/2014 08:27 AM, Anthony Messina wrote:


John, I'm not sure if this may be of help to you, but I was also trying to get 
firewalld to work nicely with ipset for the use of blacklisting.  Here are 
some examples that I use.  (Lines are likely wrapped):

# /etc/firewalld/direct.xml:
<direct>
  <!-- IPset Blacklisting -->
  <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist 
src -j PREROUTING_blacklist</passthrough>
  <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist 
src -j PREROUTING_blacklist</passthrough>
</direct>


The thing to remember with the above configuration is that you must add the 
dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if 
PREROUTING_blacklist doesn't yet exist.


I have also created a systemd ipset.service file that will reload previously 
saved ipset rules on boot and save them on shutdown:

#/etc/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save

[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177

[Install]
WantedBy=basic.target


The way I did this was to create a minimal ipset configuration and execute
'/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are 
stored in /etc/sysconfig/ipset.save prior to enabling ipset.service

My initial ipset.save without any ip addresses added looks like:

create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 
create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 
create blacklist list:set size 8 
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6

Then do 'systemctl enable ipset && systemctl start ipset'

Together, the additions to the direct.xml configuration and the ipset.service 
have allowed me to add or remove ip addresses from the blacklist without the 
worry of what happens upon restart, etc.

-A




_______________________________________________
firewalld-users mailing list
firewalld-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users