--On Friday, August 18, 2017 12:38 PM -0400 John Griffiths
<fedora.jrg01(a)grifent.com> wrote:
This was working until I upgraded to Fedora 26 from Fedora 24. Now,
even
though an IP is in one of the member iplists,
blacklist_ipv4_semipermanent or one of the others, firewalld does not
block the IP.
I do not know if this is an issue with ipsets or firewalld, nor do I
know whether this is a "feature" or a bug.
Since these ipsets are modified dynamically and need to be accessed from
bash scripts, using the internal ipset functionality of firewalld is not
my desired choice.
Is it acceptable to let firewalld create the ipset, but maintain its
contents outside it? Just make sure your management processes are set to
start after firewalld starts and creates the ipset.
Instead of a direct rule, create a zone that drops always and specify that
zone's source as the ipset.