ipset (firewalld) - how to tell if it is working?

[lightman47]

So, using https://access.redhat.com/documentation ... _firewalld, I built an ipset for firewalld named "banned". I used CIDR addresses. Example:

Code: Select all

sudo firewall-cmd --permanent --ipset=banned --add-entry=116.0.0.0/8

.

I perfomed a --reload, and even rebooted the machine to make sure the permanent rules are used.

My direct.xml has:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set "banned" src -j DROP</rule>
</direct>

get-entries reports:

Code: Select all

$ sudo firewall-cmd --permanent --ipset=banned --get-entries
5.182.9.9/16
42.0.0.0/8
186.82.0.0/16
85.0.0.0/8
178.0.0.0/8
68.107.168.0/21
85.209.0.0/16
101.162.0.0/16
95.111.0.0/16
105.0.0.0/8
100.32.0.0/13
100.40.0.0/15
190.0.0.0/8
200.0.0.0/8
185.244.0.0/16
115.0.0.0/8
167.0.0.0/8
193.0.0.0/8
129.0.0.0/8
194.0.0.0/8
83.0.0.0/8
134.0.0.0/8
87.0.0.0/8
37.0.0.0/8
107.172.0.0/14
202.0.0.0/8
82.0.0.0/8
27.0.0.0/8
116.0.0.0/8

How can I tell if it's actually working? If it is, next challenge is to "hook" my (working) fail2ban into it so I don't have to manually add the addresses.

[lightman47]

When you eliminate your syntax error in direct.xml (not shown) and restart, your fail2ban 'activity' drops significantly!


2020-06-04 anecdote

Another fail-safe method is to forget about spoofing, and blindly ban 192.0.0.0/8. After you do the --reload and exit the ssh session, you must visit the machine in person to fix it!