Page 1 of 1

Firewalld not blocking the assigned ipset

Posted: 2019/07/01 05:56:14
by soushiant
Hi. from long time ago i was using firewalld to block incoming floods to my server from some IPs and it was working fine without changing the interfaces attached to the "drop" zone. I set the ipset like:

Code: Select all

firewall-cmd --permanent --new-ipset=netblock --type=hash:net --option=maxelem=1200000 --option=family=inet --option=hashsize=4096

Code: Select all

firewall-cmd --permanent --zone=drop --add-source=ipset:netblock
firewall-cmd --reload
Recently i added a new entry to the "netblock" ipset and noticed that the traffic is not dropped. So i decided to attach all of the interfaces to the "drop" zone and as the result all of previous blocks also stopped so now there is nothing blocked by firewalld:

Code: Select all

firewall-cmd --get-active-zones
drop
  interfaces: nm-bond eno eno1 eno2
  sources: ipset:netblock

Code: Select all

firewall-cmd --zone=drop --list-services
http ssh
firewall-cmd --zone=drop --permanent --list-ports
899/tcp 80/tcp 2023/tcp 8080/tcp
the SELinux status:

Code: Select all

sestatus
SELinux status:                 disabled

Re: Firewalld not blocking the assigned ipset

Posted: 2019/07/03 08:59:45
by soushiant
The problem is solved by adding rich-rule to the drop zone and removing the ipset source. But still the question remains that why ipset is not working?

Code: Select all

firewall-cmd --permanent --zone=drop --remove-source=ipset:netblock
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family='ipv4' source address='185.105.103.0/24' reject"