Hi,
What's the purpose of the *INPUT_direct* custom-chain in the filter/INPUT chain? Is this the recommended chain to use when inserting custom rules via the --direct option? Is it sort of like, to keep things organized?
Thanks, Jorge
On 01/22/2014 03:16 AM, Jorge Fábregas wrote:
What's the purpose of the *INPUT_direct* custom-chain in the filter/INPUT chain? Is this the recommended chain to use when inserting custom rules via the --direct option? Is it sort of like, to keep things organized?
Only the allmighty creator ;) of the 'direct' stuff, i.e. Thomas can answer this properly, but yes, I think that's the use-case.
-- Jiri
On 01/22/2014 09:28 AM, Jiri Popelka wrote:
On 01/22/2014 03:16 AM, Jorge Fábregas wrote:
What's the purpose of the *INPUT_direct* custom-chain in the filter/INPUT chain? Is this the recommended chain to use when inserting custom rules via the --direct option? Is it sort of like, to keep things organized?
Only the allmighty creator ;) of the 'direct' stuff, i.e. Thomas can answer this properly, but yes, I think that's the use-case.
Yes, the _direct chains are used for direct rules, that are added to netfilter built-in chains. You can also create own chains and use them as a target in a _direct rule...
-- Jiri _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
On 01/22/2014 11:45 AM, Thomas Woerner wrote:
Yes, the _direct chains are used for direct rules, that are added to netfilter built-in chains. You can also create own chains and use them as a target in a _direct rule...
Thank you guys. I guess then that libvirt should use it since, as soon as you start libvirt, you see all these rules thrown in for the INPUT built-in, as opposed to be using INPUT_direct (they're using the direct interface).
Cheers! Jorge
On 22.01.2014 19:26, Jorge Fábregas wrote:
On 01/22/2014 11:45 AM, Thomas Woerner wrote:
Yes, the _direct chains are used for direct rules, that are added to netfilter built-in chains. You can also create own chains and use them as a target in a _direct rule...
Thank you guys. I guess then that libvirt should use it since, as soon as you start libvirt, you see all these rules thrown in for the INPUT built-in, as opposed to be using INPUT_direct (they're using the direct interface).
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
poma
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.
BTW, I know I'm not supposed to be looking under the hood (using iptables -L) while using firewalld, but hey, I'm curious :)
On 01/23/2014 01:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc.
libvirt has been using iptables rules since long before the INPUT_direct or FORWARD_direct chains existed (or the idea of firewalld had even occurred) and there is a certain amount of momentum in code that continues to work. (actually, libvirt was one of the projects that lamented early on about the free-for-all in netfilter rule management, and the need for a central authority, which eventually led to firewalld).
I agree that it would be a nice thing to do, though. And actually there is a bug that has been open since, well, forever on libvirt that could likely be fixed by putting libvirt's rules into not one custom chain, but multiple custom chains.
One difficulty is that each time libvirtd is started, it deletes all of its iptables rules and re-inserts them; it does this by using its network config to reconstruct the rules that it thinks are already in the kernel and making iptables commands (or firewalld commands) to delete those rules. Once the change is made to put the rules in custom chains, a newly started libvirtd won't know if the previous run was an older version that put the rules on the built-in chains, or a newer version that put the rules in custom chains; I suppose that could be overcome either with a release note, or by attempting to delete rules in both locations, at least for several releases.
You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.
On 01/23/2014 12:05 AM, Jorge Fábregas wrote:
On 01/22/2014 03:19 PM, poma wrote:
Say whaaat? :) https://fedoraproject.org/wiki/FirewallD#The_Daemon "With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters."
Hi poma,
Yes, I know they use the direct interface. What I meant was (now that I know the purpose of the _direct chains), that they should place their rules in the INPUT_direct & FORWARD_direct chains instead of throwing them directly in the built-in chains. Better yet, use custom chains like INPUT_libvirt, FORWARD_libvirt, etc. You see, there's an elegance on how firewalld creates & uses the different custom-chains. Let's keep it organized & manageable I think.
libvirt is using passthrough rules at the moment. These are not added to the _direct chains.
But yes, it would be good to have special chains for libvirt to be able to have some sepratation and to be able to identify easily where it comes from.
BTW, I know I'm not supposed to be looking under the hood (using iptables -L) while using firewalld, but hey, I'm curious :)
You can look at the rule set, sure. The use of "iptables -L" is safe and you can use it without problems. But adding, editing or removing rules is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules for all tables and additionally in the iptables format. For IPv6 use "ip6tables-save".
/tw
Thank you Laine for your feedback. Glad to know you're also following this list :)
Regards, Jorge
On 01/23/2014 07:14 AM, Thomas Woerner wrote:
libvirt is using passthrough rules at the moment. These are not added to the _direct chains.
Ok.
But yes, it would be good to have special chains for libvirt to be able to have some sepratation and to be able to identify easily where it comes from.
Great :)
You can look at the rule set, sure. The use of "iptables -L" is safe and you can use it without problems. But adding, editing or removing rules is not a good idea while firewalld is active.
BTW: I suggest to use the "iptables-save" command. It is showing rules for all tables and additionally in the iptables format. For IPv6 use "ip6tables-save".
Thanks for the tip! That's definitely much better than doing "iptables -L" for each of the tables when I want to compare (diff) the before & after of firewalld changes.
Thanks for the help Thomas.
Regards, Jorge
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
Regards, John
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
It is good to go in this direction for separation, but it is not a requirement.
I will be having a look at network address sets (ipset) support in firewalld again. I am also thinking about the possibility to support externally generated ipsets.
Regards, John _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
As with all new packages, firewalld is somewhat of a moving target. iptables has been around and "comfortable" because of familiarity.
I, being somewhat long in the tooth, am a little resistant to change. :-D
Thanks for the work which much be tedious.
John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
It is good to go in this direction for separation, but it is not a requirement.
I will be having a look at network address sets (ipset) support in firewalld again. I am also thinking about the possibility to support externally generated ipsets.
Regards, John _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
I want to dynamically add IPs to the firewall to drop. I run a script that parses log files to find IPs that are abusing the system and drop them. Currently I am stuck on Fedora 16 on the active server because of familiarity with iptables. I really want to move to Fedora 20, but I need to adapt my script to use firewalld before I do.
I'll be glad to read the documentation, but a hand up and a point in the right direction would be appreciated.
Regards, John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
It is good to go in this direction for separation, but it is not a requirement.
I will be having a look at network address sets (ipset) support in firewalld again. I am also thinking about the possibility to support externally generated ipsets.
Regards, John _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 01/24/2014 03:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't think about zones. You may explicitly request for a rule to be inserted in one of the zones' subchains but I guess that's not the idea. For example, If I use the direct interface and specify that I want my rule to be placed in the INPUT chain...firewalld will place it under INPUT_direct (as expected). Then, no matter what zones are active (bound by interface or source) it will always traverse the INPUT_direct subchain and process my rule. That's why I think of them, the direct rules, to be outside of the scope of the regular zones.
I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that source ip (or network) to the drop zone. This is independently of the default zone for your interface. You can then confirmn the "active zones" with:
firewall-cmd --get-active-zones
For me, binding a source to a zone (apart from binding an interface to it) is one the of the BEST things of firewalld's rule-mgmt. I discovered this about a week ago while reading the man page for firewall-cmd (as there's no mention of this source-binding in the Wiki or RHEL7 Guides). Prior to this, I was using rich rules. I couldn't believe there was no way to specify a "source address" via the basic commands and found it overkill to use rich-rules just for that. I was hard-wired to think purely on the binding of interfaces to zones (like many people). I guess this source binding needs more promotion :)
My kudos to the development team for coming up with this great idea!
Regards, Jorge
On 01/24/2014 07:04 PM, Jorge Fábregas wrote:
On 01/24/2014 03:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
Hi John,
I'm also learning firewalld so bear with me :)
As far as I understand, when you use the direct interface you don't think about zones. You may explicitly request for a rule to be inserted in one of the zones' subchains but I guess that's not the idea. For example, If I use the direct interface and specify that I want my rule to be placed in the INPUT chain...firewalld will place it under INPUT_direct (as expected). Then, no matter what zones are active (bound by interface or source) it will always traverse the INPUT_direct subchain and process my rule. That's why I think of them, the direct rules, to be outside of the scope of the regular zones.
I want to dynamically add IPs to the firewall to drop.
This is easy. Once you have the ip just execute:
firewall-cmd --zone=drop --add-source=YOUR_IP
You may run it as many times you want and it will keep adding that source ip (or network) to the drop zone. This is independently of the default zone for your interface. You can then confirmn the "active zones" with:
Hi Jorge,
I started with the command: firewall-cmd --zone=drop --add-source=YOUR_IP but the is a performance penalty paid in adding IPs that way. This is an excerpt from the original response to my question.
You can bind IP addresses to the drop zone. But with lots of IP addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent direct rule to the firewall to DROP these. The performance hit should be much lower (I have not tested it with that many entries, though).
I have over 8000 IPs that are currently dropped in iptables. Adding 8000+ IPs using that command takes a long time. That is why I was pointed to ipsets.
I gave up at the time since firewalld seemed to evolving rapidly and stuck with iptables. This is me coming back for another try.
So thanks for your reply, but I've been there and done that.
John
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
Regards, John
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A
Thanks Anthony.
On 01/25/2014 08:27 AM, Anthony Messina wrote:
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 01/24/2014 08:50 PM, John Griffiths wrote:
Is there a HOWTO for using direct chain to add to the drop zone dynamically? Or am I on the wrong track?
We do not have support for direct chains/rules within zones right now. You can use the direct interface to add rules also to zones. It is not forbidden, but you have to take care that you are not damaging other rules by doing so.
I want to dynamically add IPs to the firewall to drop. I run a script that parses log files to find IPs that are abusing the system and drop them. Currently I am stuck on Fedora 16 on the active server because of familiarity with iptables. I really want to move to Fedora 20, but I need to adapt my script to use firewalld before I do.
I'll be glad to read the documentation, but a hand up and a point in the right direction would be appreciated.
Regards, John
On 01/24/2014 09:24 AM, Thomas Woerner wrote:
On 01/24/2014 03:10 PM, John Griffiths wrote:
In August of last year, I was told on the list to use ipsets to add ips to the drop list.
Seeing all the traffic on direct chain, should I be going this direction now?
It is good to go in this direction for separation, but it is not a requirement.
I will be having a look at network address sets (ipset) support in firewalld again. I am also thinking about the possibility to support externally generated ipsets.
Regards, John _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
I am not sure what is going on with my configuration of firewalld using ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset for those that are trying to log in to ssh that should not or abusing other services. I notices that there are still a lot of bad logins to root. So I checked the IP that was shown in the login against the ipset, when it was added to the ipset (I have my own log for that.) and when the IP last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194 61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins after being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from 61.174.51.194 port 16973 ssh2 Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:03 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:06 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:09 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:12 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:12 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:15 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:16 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:17 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:19 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:23 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:25 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:25 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:28 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:34 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:35 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:36 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:37 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:38 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:39 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:40 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:43 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:45 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:52 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:55 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:55 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:00:57 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:58 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:00 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:02 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:03 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:06 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:12 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:14 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:14 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:17 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:19 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:22 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:22 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:24 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:24 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:27 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:29 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:32 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:35 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:36 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:39 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:41 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:44 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:45 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:48 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:48 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:50 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:52 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:57 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:57 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:01:59 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:00 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:05 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:06 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:08 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:11 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:13 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:15 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:16 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:18 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:25 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:27 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:30 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:31 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:33 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:33 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:35 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:36 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:41 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:46 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:49 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:50 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:51 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:53 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:54 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:55 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:57 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:58 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:59 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:00 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:09 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:11 joe sshd[10550]: Failed password for root from 61.174.51.194 port 7538 ssh2 Jul 16 09:03:11 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 126760 References: 1 Members: 200.74.162.237 96.237.146.189 190.21.141.207 201.116.227.194 ... 77.234.3.95 218.63.121.5 203.184.192.216 70.115.3.109 74.55.63.194 221.5.86.42 122.25.33.18 190.95.242.142 85.250.14.160
Name: blacklist_ipv4_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 67304 References: 1 Members: 123.30.182.178 50.195.85.69 116.10.191.213 61.174.51.200 79.191.202.21 61.174.51.211 46.130.133.139 ... 116.10.191.174 23.81.27.114 61.174.51.230 61.174.51.233 188.165.212.171 103.9.91.6
Name: blacklist_ipv4_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 66152 References: 1 Members: 61.174.51.213 85.25.242.234 85.25.150.52 61.233.233.124 211.234.100.203 221.179.191.36 85.25.139.52 221.179.89.90 61.233.76.135 116.10.191.208 61.174.51.194 61.174.51.197 94.156.77.46 85.25.129.28 37.157.187.125 116.10.191.203 85.25.176.135 54.237.87.185 85.25.176.103 61.234.146.22 198.211.30.115 200.30.85.115 59.63.167.174 61.19.247.71 85.25.139.28 183.129.228.45 116.10.191.195 85.25.99.108 216.146.33.22 85.25.144.37 216.146.33.50
Name: blacklist_ipv6_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist Type: list:set Revision: 2 Header: size 8 Size in memory: 112 References: 0 Members: blacklist_ipv4_permanent blacklist_ipv4_semipermanent blacklist_ipv4_current blacklist_ipv6_permanent blacklist_ipv6_semipermanent blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent, blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses in any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to ../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 direct.xml -> ../../root/ipFilter/lib/direct.xml -rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 ../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Why are you sending your Firewalld Problems, to my personal email? I dont' have any thing to do with Firewalld. I,am a user of it, like you are,I don't work at Firewalld this is my personal gmail email account I,am in no way associated with Firewalld, and I do not answer tech question's for them? so do not email me with your Problems.You need to send them to Firewalld's address at (firewalld-users@list.fedoahosted.org) If your sending these request's becauase I have joined the list please remove me since this is an Annoyance to me I dont want tech questions in my personal email's. Thank you, Randy Fitzgerald.
On Wed, Jul 16, 2014 at 7:18 AM, John Griffiths fedora.jrg01@grifent.com wrote:
I am not sure what is going on with my configuration of firewalld using ipsets. I think something must be wrong.
I have a cronjob that checks the log files and adds IPs to the ipset for those that are trying to log in to ssh that should not or abusing other services. I notices that there are still a lot of bad logins to root. So I checked the IP that was shown in the login against the ipset, when it was added to the ipset (I have my own log for that.) and when the IP last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset.
# ipset test blacklist_ipv4_current 61.174.51.194 61.174.51.194 is in set blacklist_ipv4_current.
The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014.
But when I check /var/log/security, the IP attempted 152 logins after being added to the blacklist set.
Jul 16 09:00:03 joe sshd[9778]: Failed password for root from 61.174.51.194 port 16973 ssh2 Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:03 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:06 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:09 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:12 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:12 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:15 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:16 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:17 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:19 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:23 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:25 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:25 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:28 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:34 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:35 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:36 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:37 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:38 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:39 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:40 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:43 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:45 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:52 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:55 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:55 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:00:57 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:58 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:00 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:02 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:03 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:06 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:12 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:14 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:14 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:17 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:19 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:22 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:22 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:24 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:24 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:27 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:29 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:32 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:35 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:36 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:39 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:41 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:44 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:45 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:48 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:48 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:50 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:52 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:57 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:57 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:01:59 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:00 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:05 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:06 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:08 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:11 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:13 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:15 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:16 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:18 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:25 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:27 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:30 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:31 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:33 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:33 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:35 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:36 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:41 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:46 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:49 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:50 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:51 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:53 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:54 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:55 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:57 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:58 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:59 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:00 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:09 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:11 joe sshd[10550]: Failed password for root from 61.174.51.194 port 7538 ssh2 Jul 16 09:03:11 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root
My ipset ellipsized is:
Name: blacklist_ipv4_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 126760 References: 1 Members: 200.74.162.237 96.237.146.189 190.21.141.207 201.116.227.194 ... 77.234.3.95 218.63.121.5 203.184.192.216 70.115.3.109 74.55.63.194 221.5.86.42 122.25.33.18 190.95.242.142 85.250.14.160
Name: blacklist_ipv4_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 67304 References: 1 Members: 123.30.182.178 50.195.85.69 116.10.191.213 61.174.51.200 79.191.202.21 61.174.51.211 46.130.133.139 ... 116.10.191.174 23.81.27.114 61.174.51.230 61.174.51.233 188.165.212.171 103.9.91.6
Name: blacklist_ipv4_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 66152 References: 1 Members: 61.174.51.213 85.25.242.234 85.25.150.52 61.233.233.124 211.234.100.203 221.179.191.36 85.25.139.52 221.179.89.90 61.233.76.135 116.10.191.208 61.174.51.194 61.174.51.197 94.156.77.46 85.25.129.28 37.157.187.125 116.10.191.203 85.25.176.135 54.237.87.185 85.25.176.103 61.234.146.22 198.211.30.115 200.30.85.115 59.63.167.174 61.19.247.71 85.25.139.28 183.129.228.45 116.10.191.195 85.25.99.108 216.146.33.22 85.25.144.37 216.146.33.50
Name: blacklist_ipv6_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist_ipv6_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
Name: blacklist Type: list:set Revision: 2 Header: size 8 Size in memory: 112 References: 0 Members: blacklist_ipv4_permanent blacklist_ipv4_semipermanent blacklist_ipv4_current blacklist_ipv6_permanent blacklist_ipv6_semipermanent blacklist_ipv6_current
There are a total of 8616 IPs in blacklist_ipv4_permanent, blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses in any ipv6 set yet.
My /etc/firewalld/direct.xml file is a symbolic link to ../../root/ipFilter/lib/direct.xml and the selinux context is:
# l -Z direct.xml ../../root/ipFilter/lib/direct.xml lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 direct.xml -> ../../root/ipFilter/lib/direct.xml -rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 ../../root/ipFilter/lib/direct.xml
The /etc/firewalld/direct.xml is:
# /etc/firewalld/direct.xml:
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
When I open firewall-config, there is nothing under the Direct tab.
I am using firewalld-0.3.10-1.fc20.noarch.
I sure would appreciate some guidance to what may be wrong.
John
On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong.
I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something.
Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable.
I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld.
Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped):
# /etc/firewalld/direct.xml:
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist.
I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown:
#/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
-A
firewalld-users mailing listfirewalld-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Jiri,
There is no /var/log/firewalld file.
This is my config file:
# firewalld config file
# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
# Minimal mark # Marks up to this minimum are free for use for example in the direct # interface. If more free marks are needed, increase the minimum # Default: 100 MinimalMark=100
# Clean up on exit # If set to no or false the firewall configuration will not get cleaned up # on exit or stop of firewalld # Default: yes CleanupOnExit=yes
# Lockdown # If set to enabled, firewall changes with the D-Bus interface will be limited # to applications that are listed in the lockdown whitelist. # The lockdown whitelist file is lockdown-whitelist.xml # Default: no Lockdown=no
# IPv6_rpfilter # Performs a reverse path filter test on a packet for IPv6. If a reply to the # packet would be sent via the same interface that the packet arrived on, the # packet will match and be accepted, otherwise dropped. # The rp_filter for IPv4 is controlled using sysctl. # Default: yes IPv6_rpfilter=yes
Thanks, John
On 07/16/2014 12:56 PM, Jiri Popelka wrote:
On 07/16/2014 04:18 PM, John Griffiths wrote:
When I open firewall-config, there is nothing under the Direct tab.
Can you check /var/log/firewalld for any WARNINGs/ERRORs ?
-- Jiri
On 07/16/2014 07:00 PM, John Griffiths wrote:
There is no /var/log/firewalld file.
And if you add 'FIREWALLD_ARGS=--debug' into /etc/sysconfig/firewalld and restart/reload firewalld ? Are there any WARNINGs/ERRORs ? (I don't need to see the DEBUGs).
-- Jiri
Hello John,
Once you have this working, would you mind posting your config/scripts for others to benefit from? I'd like to use ipsets as well but haven't had a chance to look deeply into them. Your setup sounds like it would be a great start.
I see:
2014-07-16 13:25:23 DEBUG1: Failed to load direct rules file '/etc/firewalld/direct.xml': /etc/firewalld/direct.xml:1:1: not well-formed (invalid token)
so the file was invalid.
I checked the file. The first line was an improperly formed comment:
# /etc/firewalld/direct.xml:
I changed that line to:
<!-- /etc/firewalld/direct.xml -->
and the direct file loaded. The direct rules now show in firewall-config.
Thanks!
John
On 07/16/2014 01:11 PM, Jiri Popelka wrote:
On 07/16/2014 07:00 PM, John Griffiths wrote:
There is no /var/log/firewalld file.
And if you add 'FIREWALLD_ARGS=--debug' into /etc/sysconfig/firewalld and restart/reload firewalld ? Are there any WARNINGs/ERRORs ? (I don't need to see the DEBUGs).
-- Jiri
I cannot take credit.
My thanks to Anthony, Thomas, and Jiri on this list for their help.
I just worked out the kinks for my particular use.
Here are what I use:
/etc/firewalld/direct.xml (from Anthony)
<!-- /etc/firewalld/direct.xml --> <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
/etc/systemd/system/ipset.service (from Anthony)
Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
This is from the email from Anthony:
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
My own ipset save file is a bit more complex:
create blacklist_ipv4_permanent hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv4_semipermanent hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv4_current hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv6_permanent hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist_ipv6_semipermanent hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist_ipv6_current hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4_permanent add blacklist blacklist_ipv4_semipermanent add blacklist blacklist_ipv4_current add blacklist blacklist_ipv6_permanent add blacklist blacklist_ipv6_semipermanent add blacklist blacklist_ipv6_current
It is up to you how you want to add IPs to the ipsets.
I have another script that runs periodically to parse various log files to determine IPs to blacklist and add them to blacklist_ipv4_current. Once a day, the script reads IPs that are in the current list and which have been in historical lists of 'current' IPs and adds them to semipermanent or discards them if not. Does the same for historical semipermanent and adds them to permanent. It keeps the firewall up to date with 'bad guys.' That script is pretty complex and I'd rather not post it. I am not working with IPv6 to any extent yet.
I currently have 8616 IPs in my blacklist.
Nathanael, Hope this helps you and others.
John
On 07/16/2014 01:46 PM, Nathanael d. Noblet wrote:
Hello John,
Once you have this working, would you mind posting your config/scripts for others to benefit from? I'd like to use ipsets as well but haven't had a chance to look deeply into them. Your setup sounds like it would be a great start.
On 07/16/2014 05:33 PM, Randy Fitzgerald wrote:
Why are you sending your Firewalld Problems, to my personal email? I dont' have any thing to do with Firewalld. I,am a user of it, like you are,I don't work at Firewalld this is my personal gmail email account I,am in no way associated with Firewalld, and I do not answer tech question's for them? so do not email me with your Problems.You need to send them to Firewalld's address at (firewalld-users@list.fedoahosted.org mailto:firewalld-users@list.fedoahosted.org) If your sending these request's becauase I have joined the list please remove me since this is an Annoyance to me I dont want tech questions in my personal email's. Thank you, Randy Fitzgerald.
There is a link in the footer on each email on this list.
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Within this page you can change your settings for the list. There is also a button to unsubscribe.
On Wed, Jul 16, 2014 at 7:18 AM, John Griffiths <fedora.jrg01@grifent.com mailto:fedora.jrg01@grifent.com> wrote:
I am not sure what is going on with my configuration of firewalld using ipsets. I think something must be wrong. I have a cronjob that checks the log files and adds IPs to the ipset for those that are trying to log in to ssh that should not or abusing other services. I notices that there are still a lot of bad logins to root. So I checked the IP that was shown in the login against the ipset, when it was added to the ipset (I have my own log for that.) and when the IP last tried to connect using ssh. The IP, 61.174.51.194, is in the ipset. # ipset test blacklist_ipv4_current 61.174.51.194 61.174.51.194 is in set blacklist_ipv4_current. The IP was added to blacklist_ipv4_current Wed Jul 16 09:00:02 EDT 2014. But when I check /var/log/security, the IP attempted 152 logins after being added to the blacklist set. Jul 16 09:00:03 joe sshd[9778]: Failed password for root from 61.174.51.194 port 16973 ssh2 Jul 16 09:00:03 joe sshd[9778]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:03 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:06 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:09 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:10 joe sshd[10148]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:10 joe sshd[10148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:12 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:12 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:15 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:16 joe sshd[9800]: Failed password for root from 61.174.51.194 port 23297 ssh2 Jul 16 09:00:16 joe sshd[9800]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:17 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:19 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:23 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:23 joe sshd[10157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:25 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:25 joe sshd[10148]: Failed password for root from 61.174.51.194 port 25999 ssh2 Jul 16 09:00:25 joe sshd[10148]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:28 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:33 joe sshd[10165]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:33 joe sshd[10165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:34 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:35 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:36 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:37 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:38 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:39 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:40 joe sshd[10157]: Failed password for root from 61.174.51.194 port 28861 ssh2 Jul 16 09:00:40 joe sshd[10157]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:43 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:45 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: Failed password for root from 61.174.51.194 port 31156 ssh2 Jul 16 09:00:48 joe sshd[10165]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:50 joe sshd[10179]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:51 joe sshd[10179]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:52 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:53 joe sshd[10183]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:00:54 joe sshd[10183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:00:55 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:55 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:00:57 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:00:58 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:00 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:02 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:03 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:06 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: Failed password for root from 61.174.51.194 port 36219 ssh2 Jul 16 09:01:08 joe sshd[10183]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:12 joe sshd[10227]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:12 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:12 joe sshd[10227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:14 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:14 joe sshd[10179]: Failed password for root from 61.174.51.194 port 35507 ssh2 Jul 16 09:01:14 joe sshd[10179]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:17 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:19 joe sshd[10234]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:19 joe sshd[10234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:19 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:22 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:22 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:24 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:24 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:27 joe sshd[10227]: Failed password for root from 61.174.51.194 port 40562 ssh2 Jul 16 09:01:27 joe sshd[10227]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:29 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:32 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:34 joe sshd[10246]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:34 joe sshd[10246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:35 joe sshd[10234]: Failed password for root from 61.174.51.194 port 41984 ssh2 Jul 16 09:01:35 joe sshd[10234]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:36 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:39 joe sshd[10252]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:39 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:41 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:43 joe sshd[10252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:44 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:45 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:48 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:48 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:50 joe sshd[10246]: Failed password for root from 61.174.51.194 port 45039 ssh2 Jul 16 09:01:50 joe sshd[10246]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:52 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:54 joe sshd[10266]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:01:55 joe sshd[10266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:01:57 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:57 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:01:59 joe sshd[10252]: Failed password for root from 61.174.51.194 port 46605 ssh2 Jul 16 09:01:59 joe sshd[10252]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:00 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:03 joe sshd[10275]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:04 joe sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:05 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:06 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:08 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:11 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:13 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:15 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:16 joe sshd[10266]: Failed password for root from 61.174.51.194 port 49978 ssh2 Jul 16 09:02:16 joe sshd[10266]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:18 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: Failed password for root from 61.174.51.194 port 51942 ssh2 Jul 16 09:02:21 joe sshd[10275]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:23 joe sshd[10504]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:23 joe sshd[10504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:25 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:27 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:28 joe sshd[10509]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:28 joe sshd[10509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:30 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:31 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:33 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:33 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:35 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:36 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:39 joe sshd[10504]: Failed password for root from 61.174.51.194 port 55562 ssh2 Jul 16 09:02:39 joe sshd[10504]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:41 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: Failed password for root from 61.174.51.194 port 56553 ssh2 Jul 16 09:02:43 joe sshd[10509]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:43 joe sshd[10525]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:44 joe sshd[10525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:46 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:47 joe sshd[10529]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:02:48 joe sshd[10529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:02:49 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:50 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:51 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:53 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:54 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:55 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:57 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:58 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:02:59 joe sshd[10525]: Failed password for root from 61.174.51.194 port 2338 ssh2 Jul 16 09:02:59 joe sshd[10525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:00 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: Failed password for root from 61.174.51.194 port 3233 ssh2 Jul 16 09:03:03 joe sshd[10529]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:05 joe sshd[10545]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:06 joe sshd[10545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:08 joe sshd[10550]: reverse mapping checking getaddrinfo for 194.51.174.61.dial.wz.zj.dynamic.163data.com.cn <http://194.51.174.61.dial.wz.zj.dynamic.163data.com.cn> [61.174.51.194] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 09:03:09 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:09 joe sshd[10550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root Jul 16 09:03:11 joe sshd[10550]: Failed password for root from 61.174.51.194 port 7538 ssh2 Jul 16 09:03:11 joe sshd[10545]: Failed password for root from 61.174.51.194 port 6642 ssh2 Jul 16 09:03:11 joe sshd[10545]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.194 user=root My ipset ellipsized is: Name: blacklist_ipv4_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 126760 References: 1 Members: 200.74.162.237 96.237.146.189 190.21.141.207 201.116.227.194 ... 77.234.3.95 218.63.121.5 203.184.192.216 70.115.3.109 74.55.63.194 221.5.86.42 122.25.33.18 190.95.242.142 85.250.14.160 Name: blacklist_ipv4_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 67304 References: 1 Members: 123.30.182.178 50.195.85.69 116.10.191.213 61.174.51.200 79.191.202.21 61.174.51.211 46.130.133.139 ... 116.10.191.174 23.81.27.114 61.174.51.230 61.174.51.233 188.165.212.171 103.9.91.6 Name: blacklist_ipv4_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 66152 References: 1 Members: 61.174.51.213 85.25.242.234 85.25.150.52 61.233.233.124 211.234.100.203 221.179.191.36 85.25.139.52 221.179.89.90 61.233.76.135 116.10.191.208 61.174.51.194 61.174.51.197 94.156.77.46 85.25.129.28 37.157.187.125 116.10.191.203 85.25.176.135 54.237.87.185 85.25.176.103 61.234.146.22 198.211.30.115 200.30.85.115 59.63.167.174 61.19.247.71 85.25.139.28 183.129.228.45 116.10.191.195 85.25.99.108 216.146.33.22 85.25.144.37 216.146.33.50 Name: blacklist_ipv6_permanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members: Name: blacklist_ipv6_semipermanent Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members: Name: blacklist_ipv6_current Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members: Name: blacklist Type: list:set Revision: 2 Header: size 8 Size in memory: 112 References: 0 Members: blacklist_ipv4_permanent blacklist_ipv4_semipermanent blacklist_ipv4_current blacklist_ipv6_permanent blacklist_ipv6_semipermanent blacklist_ipv6_current There are a total of 8616 IPs in blacklist_ipv4_permanent, blacklist_ipv4_semipermanent, and blacklist_ipv4_current. No addresses in any ipv6 set yet. My /etc/firewalld/direct.xml file is a symbolic link to ../../root/ipFilter/lib/direct.xml and the selinux context is: # l -Z direct.xml ../../root/ipFilter/lib/direct.xml lrwxrwxrwx. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 direct.xml -> ../../root/ipFilter/lib/direct.xml -rw-r-----. root root unconfined_u:object_r:firewalld_etc_rw_t:s0 ../../root/ipFilter/lib/direct.xml The /etc/firewalld/direct.xml is: # /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct> When I open firewall-config, there is nothing under the Direct tab. I am using firewalld-0.3.10-1.fc20.noarch. I sure would appreciate some guidance to what may be wrong. John On 01/25/2014 08:27 AM, Anthony Messina wrote:
On Saturday, January 25, 2014 07:42:48 AM John Griffiths wrote:
I may be entirely wrong in my observation, so please correct me where I am wrong. I observe that firewalld is very flexible and powerful and will add and delete IPs without having to restart. Zones may be switched on the fly. The code is changing at a rapid pace. And, what seems to be a big one to me, there are more than one way to do something. Having more than one way to configure essentially the same operation seems to me would add to the code complexity. Complexity often leads to code maintenance issues. Not saying there are any. Complexity leads to user confusion such as I am having now. Rapidly developing code causes documentation lag; one reason this list is so valuable. I am a developer professionally. If I am having issues understanding, then how about someone who is strictly a user? Maybe no one else has the issue of over 8000 IPs being dropped at the firewall, but I certainly do and I am finding it hard to address with my understanding of firewalld. Thanks to the developers for the hard work. Hope someone with first hand knowledge of the development can set me straight.
John, I'm not sure if this may be of help to you, but I was also trying to get firewalld to work nicely with ipset for the use of blacklisting. Here are some examples that I use. (Lines are likely wrapped): # /etc/firewalld/direct.xml: <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct> The thing to remember with the above configuration is that you must add the dependent chains first--PREROUTING cannot refer to PREROUTING_blacklist if PREROUTING_blacklist doesn't yet exist. I have also created a systemd ipset.service file that will reload previously saved ipset rules on boot and save them on shutdown: #/etc/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save [Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177 [Install] WantedBy=basic.target The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service My initial ipset.save without any ip addresses added looks like: create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6 Then do 'systemctl enable ipset && systemctl start ipset' Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc. -A _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org <mailto:firewalld-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
_______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org <mailto:firewalld-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users@lists.fedorahosted.org