I am not sure what is going on with my configuration of firewalld using ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset for those that are trying to log in to ssh that should not or abusing other services. I notices that there are still a lot of bad logins to root. So I checked the IP that was shown in the login against the ipset, when it was added to the ipset (I have my own log for that.) and when the IP last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194 61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins after being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from 61.174.51.194 port 16973 ssh2 Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:03 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:06 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:09 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:12 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:12 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:15 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:16 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:17 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:19 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:23 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:25 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:25 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:28 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:34 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:35 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:36 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:37 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:38 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:39 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:40 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:43 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:45 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:52 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:55 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:55 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:00:57 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:58 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:00 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:02 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:03 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:06 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:12 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:14 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:14 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:17 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:19 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:22 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:22 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:24 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:24 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:27 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:29 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:32 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:35 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:36 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:39 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:41 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:44 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:45 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:48 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:48 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:50 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:52 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:57 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:57 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:01:59 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:00 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:05 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:06 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:08 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:11 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:13 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:15 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:16 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:18 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:25 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:27 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:30 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:31 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:33 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:33 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:35 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:36 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:41 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:46 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:49 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:50 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:51 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:53 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:54 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:55 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:57 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:58 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:59 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:00 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:09 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:11 joe sshd[10550]: Failed password for root from 61.174.51.194 port 7538 ssh2 Jul 16 09:03:11 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 126760 References: 1 Members: 200.74.162.237 96.237.146.189 190.21.141.207 201.116.227.194 ... 77.234.3.95 218.63.121.5 203.184.192.216 70.115.3.109 74.55.63.194 221.5.86.42 122.25.33.18 190.95.242.142 85.250.14.160
Name: blacklist_ipv4_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 67304 References: 1 Members: 123.30.182.178 50.195.85.69 116.10.191.213 61.174.51.200 79.191.202.21 61.174.51.211 46.130.133.139 ... 116.10.191.174 23.81.27.114 61.174.51.230 61.174.51.233 188.165.212.171 103.9.91.6
Name: blacklist_ipv4_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 66152 References: 1 Members: 61.174.51.213 85.25.242.234 85.25.150.52 61.233.233.124 211.234.100.203 221.179.191.36 85.25.139.52 221.179.89.90 61.233.76.135 116.10.191.208 61.174.51.194 61.174.51.197 94.156.77.46 85.25.129.28 37.157.187.125 116.10.191.203 85.25.176.135 54.237.87.185 85.25.176.103 61.234.146.22 198.211.30.115 200.30.85.115 59.63.167.174 61.19.247.71 85.25.139.28 183.129.228.45 116.10.191.195 85.25.99.108 216.146.33.22 85.25.144.37 216.146.33.50
Name: blacklist_ipv6_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist Type: list:set Revision: 2 Header: size 8 Size in memory: 112 References: 0 Members: blacklist_ipv4_permanent blacklist_ipv4_semipermanent blacklist_ipv4_current blacklist_ipv6_permanent blacklist_ipv6_semipermanent blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent, blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses in any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to ../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 direct.xml -> ../../root/ipFilter/lib/direct.xml -rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 ../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users