firewalld: update timeout of an ipset entry

Issues related to configuring your network
Post Reply
alvarolm
Posts: 5
Joined: 2020/04/05 23:47:07

firewalld: update timeout of an ipset entry

Post by alvarolm » 2020/04/05 23:48:38

I have been trying to figure out how to update the timeout of an ipset entry, with no luck so far, when using native ipset I would just simply use:
$ ipset add foo 192.168.0.5 -exist
but firewalld doesn't seems to implement this feature according to the manual (man), which is a pretty useful and common.
ip2ban seems to bypass firewalld ipset implmentation and just use it natively, so have I tried but with no success:

ipset creation:
$ ipset create foo hash:ip timeout 300
direct rule:
$ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT
ipset add:
$ ipset add foo 192.120.11.1
https requests and ssh connection attemp are dropped with no route to host.
as soon as I disable firewalld i can succeffule send request and connecto to ssh.

* I'm using the default zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --direct --get-all-rules

ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT
what I'm doing wrong, is this possible with firewalld?

thanks in advance

User avatar
jlehtone
Posts: 3020
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld: update timeout of an ipset entry

Post by jlehtone » 2020/04/06 05:51:36

1. Create a custom firewalld zone 'bar' that allows access to ports/services tcp/22, tcp/443, etc.
2. Create ipset foo
3. firewall-cmd [--permanent] --zone=bar --add-source=ipset:foo

That said, the nftables has "sets" that do have timeout option. Firewalld is a front-end to nftables (while it was front-end to netfilter in CentOS 7).
One can:
1. Create nftables ruleset
2. Disable firewalld.service
3. Enable nftables.service
4. Maintain the ruleset somehow

alvarolm
Posts: 5
Joined: 2020/04/05 23:47:07

Re: firewalld: update timeout of an ipset entry

Post by alvarolm » 2020/04/06 13:06:50

thank you @jlehtone for the response, still deviates way to much from the original question and adds complexity to the task.

do you know why firewalld includes an ipset manual and claims to implement it if only uses nftables?
its there a more straight forward way ?

User avatar
KernelOops
Posts: 321
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: firewalld: update timeout of an ipset entry

Post by KernelOops » 2020/04/06 14:24:02

I think firewalld supports ipset timeout as an option:

--permanent --new-ipset=ipset --type=type [--family=inet|inet6] [--option=key[=value]]

you need to append the timeout as an --option, which is not used directly by firewalld, but its passed onwards to ipset.
--
I love my computer - all my friends live there.
--


Post Reply

Return to “CentOS 8 - Networking Support”