Re: firewalld general observations

Wednesday, 16 July 2014

I am not sure what is going on with my configuration of firewalld using 
ipsets. I think something must be wrong.

I have a cronjob that checks the log files and adds IPs to the ipset for 
those that are trying to log in to ssh that should not or abusing other 
services. I notices that there are still a lot of bad logins to root. So 
I checked the IP that was shown in the login against the ipset, when it 
was added to the ipset (I have my own log for that.) and when the IP 
last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset.

    # ipset test blacklist_ipv4_current 61.174.51.194
    61.174.51.194 is in set blacklist_ipv4_current.

The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.

But when I check /var/log/security, the IP attempted 152 logins after 
being added to the blacklist set.

    Jul 16 09:00:03 joe sshd[9778]: Failed password for root from
    61.174.51.194 port 16973 ssh2
    Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:00:03 joe sshd[9800]: Failed password for root from
    61.174.51.194 port 23297 ssh2
    Jul 16 09:00:06 joe sshd[9800]: Failed password for root from
    61.174.51.194 port 23297 ssh2
    Jul 16 09:00:09 joe sshd[9800]: Failed password for root from
    61.174.51.194 port 23297 ssh2
    Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:00:12 joe sshd[9800]: Failed password for root from
    61.174.51.194 port 23297 ssh2
    Jul 16 09:00:12 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:15 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:16 joe sshd[9800]: Failed password for root from
    61.174.51.194 port 23297 ssh2
    Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:00:17 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:19 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:00:23 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:00:25 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:25 joe sshd[10148]: Failed password for root from
    61.174.51.194 port 25999 ssh2
    Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:00:28 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:00:34 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:35 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:36 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:37 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:38 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:39 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:40 joe sshd[10157]: Failed password for root from
    61.174.51.194 port 28861 ssh2
    Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:00:43 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:45 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:48 joe sshd[10165]: Failed password for root from
    61.174.51.194 port 31156 ssh2
    Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:00:52 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:00:55 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:00:55 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:00:57 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:00:58 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:01:00 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:01:02 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:01:03 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:01:06 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:01:08 joe sshd[10183]: Failed password for root from
    61.174.51.194 port 36219 ssh2
    Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:01:12 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:01:14 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:14 joe sshd[10179]: Failed password for root from
    61.174.51.194 port 35507 ssh2
    Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:01:17 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:01:19 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:22 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:22 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:24 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:24 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:27 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:27 joe sshd[10227]: Failed password for root from
    61.174.51.194 port 40562 ssh2
    Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:01:29 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:32 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:01:35 joe sshd[10234]: Failed password for root from
    61.174.51.194 port 41984 ssh2
    Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:01:36 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:01:39 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:41 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:01:44 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:45 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:48 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:48 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:50 joe sshd[10246]: Failed password for root from
    61.174.51.194 port 45039 ssh2
    Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:01:52 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:54 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:01:57 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:57 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:01:59 joe sshd[10252]: Failed password for root from
    61.174.51.194 port 46605 ssh2
    Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:02:00 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:02:03 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:02:05 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:02:06 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:08 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:11 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:13 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:02:15 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:16 joe sshd[10266]: Failed password for root from
    61.174.51.194 port 49978 ssh2
    Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:02:18 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:21 joe sshd[10275]: Failed password for root from
    61.174.51.194 port 51942 ssh2
    Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:02:25 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:27 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:02:30 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:31 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:33 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:33 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:35 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:36 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:39 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:39 joe sshd[10504]: Failed password for root from
    61.174.51.194 port 55562 ssh2
    Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:02:41 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:43 joe sshd[10509]: Failed password for root from
    61.174.51.194 port 56553 ssh2
    Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:02:46 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:02:49 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:50 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:02:51 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:53 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:02:54 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:55 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:02:57 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:58 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:02:59 joe sshd[10525]: Failed password for root from
    61.174.51.194 port 2338 ssh2
    Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:03:00 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:03:03 joe sshd[10529]: Failed password for root from
    61.174.51.194 port 3233 ssh2
    Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194  user=root
    Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking
    getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn
    [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jul 16 09:03:09 joe sshd[10545]: Failed password for root from
    61.174.51.194 port 6642 ssh2
    Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 
    user=root
    Jul 16 09:03:11 joe sshd[10550]: Failed password for root from
    61.174.51.194 port 7538 ssh2
    Jul 16 09:03:11 joe sshd[10545]: Failed password for root from
    61.174.51.194 port 6642 ssh2
    Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure;
    logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root

My ipset ellipsized is:

    Name: blacklist_ipv4_permanent
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 126760
    References: 1
    Members:
    200.74.162.237
    96.237.146.189
    190.21.141.207
    201.116.227.194
    ...
    77.234.3.95
    218.63.121.5
    203.184.192.216
    70.115.3.109
    74.55.63.194
    221.5.86.42
    122.25.33.18
    190.95.242.142
    85.250.14.160

    Name: blacklist_ipv4_semipermanent
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 67304
    References: 1
    Members:
    123.30.182.178
    50.195.85.69
    116.10.191.213
    61.174.51.200
    79.191.202.21
    61.174.51.211
    46.130.133.139
    ...
    116.10.191.174
    23.81.27.114
    61.174.51.230
    61.174.51.233
    188.165.212.171
    103.9.91.6

    Name: blacklist_ipv4_current
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 66152
    References: 1
    Members:
    61.174.51.213
    85.25.242.234
    85.25.150.52
    61.233.233.124
    211.234.100.203
    221.179.191.36
    85.25.139.52
    221.179.89.90
    61.233.76.135
    116.10.191.208
    61.174.51.194
    61.174.51.197
    94.156.77.46
    85.25.129.28
    37.157.187.125
    116.10.191.203
    85.25.176.135
    54.237.87.185
    85.25.176.103
    61.234.146.22
    198.211.30.115
    200.30.85.115
    59.63.167.174
    61.19.247.71
    85.25.139.28
    183.129.228.45
    116.10.191.195
    85.25.99.108
    216.146.33.22
    85.25.144.37
    216.146.33.50

    Name: blacklist_ipv6_permanent
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 65656
    References: 1
    Members:

    Name: blacklist_ipv6_semipermanent
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 65656
    References: 1
    Members:

    Name: blacklist_ipv6_current
    Type: hash:ip
    Revision: 2
    Header: family inet hashsize 4096 maxelem 65536
    Size in memory: 65656
    References: 1
    Members:

    Name: blacklist
    Type: list:set
    Revision: 2
    Header: size 8
    Size in memory: 112
    References: 0
    Members:
    blacklist_ipv4_permanent
    blacklist_ipv4_semipermanent
    blacklist_ipv4_current
    blacklist_ipv6_permanent
    blacklist_ipv6_semipermanent
    blacklist_ipv6_current

There are a total of 8616 IPs in blacklist_ipv4_permanent, 
blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses 
in any ipv6 set yet.

My /etc/firewalld/direct.xml file is a symbolic link to 
../../root/ipFilter/lib/direct.xml and the selinux context is:

    # l -Z direct.xml ../../root/ipFilter/lib/direct.xml
    lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
    direct.xml -> ../../root/ipFilter/lib/direct.xml
    -rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0
    ../../root/ipFilter/lib/direct.xml

The /etc/firewalld/direct.xml is:

    # /etc/firewalld/direct.xml:
    <direct>
       <!-- IPset Blacklisting -->
       <chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
       <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
    --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level
    6</passthrough>
       <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
    DROP</passthrough>
       <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
    blacklist src -j PREROUTING_blacklist</passthrough>
       <chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
       <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
    --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level
    6</passthrough>
       <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
    DROP</passthrough>
       <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
    blacklist src -j PREROUTING_blacklist</passthrough>
    </direct>

When I open firewall-config, there is nothing under the Direct tab.

I am using firewalld-0.3.10-1.fc20.noarch.

I sure would appreciate some guidance to what may be wrong.

John

On 01/25/2014 08:27 AM, Anthony Messina wrote:
...
 On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
> I may be entirely wrong in my observation, so please correct me where I
> am wrong.
>
> I observe that firewalld is very flexible and powerful and will add and
> delete IPs without having to restart. Zones may be switched on the fly.
> The code is changing at a rapid pace. And, what seems to be a big one to
> me, there are more than one way to do something.
>
> Having more than one way to configure essentially the same operation
> seems to me would add to the code complexity. Complexity often leads to
> code maintenance issues. Not saying there are any. Complexity leads to
> user confusion such as I am having now. Rapidly developing code causes
> documentation lag; one reason this list is so valuable.
>
> I am a developer professionally. If I am having issues understanding,
> then how about someone who is strictly a user? Maybe no one else has the
> issue of over 8000 IPs being dropped at the firewall, but I certainly do
> and I am finding it hard to address with my understanding of firewalld.
>
> Thanks to the developers for the hard work. Hope someone with first hand
> knowledge of the development can set me straight.

 John, I'm not sure if this may be of help to you, but I was also trying to get
 firewalld to work nicely with ipset for the use of blacklisting.  Here are
 some examples that I use.  (Lines are likely wrapped):

 # /etc/firewalld/direct.xml:
 <direct>
    <!-- IPset Blacklisting -->
    <chain ipv="ipv4" table="raw"
chain="PREROUTING_blacklist"/>
    <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
    <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
    <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
 src -j PREROUTING_blacklist</passthrough>
    <chain ipv="ipv6" table="raw"
chain="PREROUTING_blacklist"/>
    <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
    <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
    <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
 src -j PREROUTING_blacklist</passthrough>
 </direct>

 The thing to remember with the above configuration is that you must add the
 dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if
 PREROUTING_blacklist doesn't yet exist.

 I have also created a systemd ipset.service file that will reload previously
 saved ipset rules on boot and save them on shutdown:

 #/etc/systemd/system/ipset.service
 [Unit]
 Description=ipset - IP set restore & save
 Documentation=man:ipset(8)
 Before=network.target firewalld.service iptables.service ip6tables.service
 ConditionFileNotEmpty=/etc/sysconfig/ipset.save

 [Service]
 Type=oneshot
 ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
 ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
 RemainAfterExit=yes
 StandardOutput=journal+console
 UMask=0177

 [Install]
 WantedBy=basic.target

 The way I did this was to create a minimal ipset configuration and execute
 '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are
 stored in /etc/sysconfig/ipset.save prior to enabling ipset.service

 My initial ipset.save without any ip addresses added looks like:

 create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536
 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536
 create blacklist list:set size 8
 add blacklist blacklist_ipv4
 add blacklist blacklist_ipv6

 Then do 'systemctl enable ipset && systemctl start ipset'

 Together, the additions to the direct.xml configuration and the ipset.service
 have allowed me to add or remove ip addresses from the blacklist without the
 worry of what happens upon restart, etc.

 -A

 _______________________________________________
 firewalld-users mailing list
 firewalld-users(a)lists.fedorahosted.org
 https://lists.fedorahosted.org/mailman/listinfo/firewalld-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Re: firewalld general observations