On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A