On 01/24/2014 07:04 PM, Jorge Fábregas wrote:
On 01/24/2014 03:50 PM, John Griffiths wrote:
> Is there a HOWTO for using direct chain to add to the drop zone
> dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't
think about zones. You may explicitly request for a rule to be inserted
in one of the zones' subchains but I guess that's not the idea. For
example, If I use the direct interface and specify that I want my rule
to be placed in the INPUT chain...firewalld will place it under
INPUT_direct (as expected). Then, no matter what zones are active
(bound by interface or source) it will always traverse the INPUT_direct
subchain and process my rule. That's why I think of them, the direct
rules, to be outside of the scope of the regular zones.
> I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that
source ip (or network) to the drop zone. This is independently of the
default zone for your interface. You can then confirmn the "active
zones" with:
Hi Jorge,
I started with the command:
firewall-cmd --zone=drop --add-source=YOUR_IP
but the is a performance penalty paid in adding IPs that way. This is an
excerpt from the original response to my question.
You can bind IP addresses to the drop zone. But with lots of IP
addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent
direct rule to the firewall to DROP these. The performance hit should
be much lower (I have not tested it with that many entries, though).
I have over
8000 IPs that are currently dropped in iptables. Adding
8000+ IPs using that command takes a long time. That is why I was
pointed to ipsets.
I gave up at the time since firewalld seemed to evolving rapidly and
stuck with iptables. This is me coming back for another try.
So thanks for your reply, but I've been there and done that.
John