On 01/24/2014 07:04 PM, Jorge Fábregas wrote:
On 01/24/2014 03:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't think about zones. You may explicitly request for a rule to be inserted in one of the zones' subchains but I guess that's not the idea. For example, If I use the direct interface and specify that I want my rule to be placed in the INPUT chain...firewalld will place it under INPUT_direct (as expected). Then, no matter what zones are active (bound by interface or source) it will always traverse the INPUT_direct subchain and process my rule. That's why I think of them, the direct rules, to be outside of the scope of the regular zones.
I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that source ip (or network) to the drop zone. This is independently of the default zone for your interface. You can then confirmn the "active zones" with:
Hi Jorge,
I started with the command: firewall-cmd --zone=drop --add-source=YOUR_IP but the is a performance penalty paid in adding IPs that way. This is an excerpt from the original response to my question.
You can bind IP addresses to the drop zone. But with lots of IP addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent direct rule to the firewall to DROP these. The performance hit should be much lower (I have not tested it with that many entries, though).
I have over 8000 IPs that are currently dropped in iptables. Adding 8000+ IPs using that command takes a long time. That is why I was pointed to ipsets.
I gave up at the time since firewalld seemed to evolving rapidly and stuck with iptables. This is me coming back for another try.
So thanks for your reply, but I've been there and done that.
John