I've been using CentOS 6 for many moons and have recently setup a server using CentOS 8.2 (sorry CentOS 7... I skipped right over you =P). Everything has been working rather well, except now I've hit a problem that I can't find a solution to (even after many hours of Googling). The problem is, after adding a file of IP addresses to an IPSET, firewall-cmd seems no longer stable. First, it takes *extremely long* to --reload, second it may even crash and throw DBus errors.
The steps to reproduce are fairly straightforward...
- curl https://www.ipdeny.com/ipblocks/data/countries/cn.zone --output cn.zone # sorry China, it's not personal
- firewall-cmd --permanent --new-ipset=blocklist_v4 --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000
- firewall-cmd --permanent --ipset=blocklist_v4 --add-entries-from-file="cn.zone"
- firewall-cmd --permanent --zone=drop --add-source=ipset:blocklist_v4
- firewall-cmd --reload
Here's a bug filed with RedHat (that *might* be related) mentioning slow loading of XML files:
https://bugzilla.redhat.com/show_bug.cgi?id=1416817
Here's a bug filed with CentOS (that definitely *seems* related) mentioning slow --reload after adding an ipset rule:
https://bugs.centos.org/view.php?id=17525
Note that in the CentOS bug report, it mentions "a large ipset of 100k entries", however firewalld seems unreasonably problematic even with just the CN zone, which contains a total of about 8.5k entries.
Please correct me if I'm totally off-base here... but isn't this a fairly common need on a public-facing production server? How is it possible that this could be non-functioning? Perhaps most CentOS 8 deployments rely on a different machine for firewalling? It's hard for me to understand how this could be broken. Am I just being a whiny baby and I should go away and write my own operating system plus firewall if CentOS isn't good enough for me?
Thanks for reading! I very much appreciate any advice you can throw my way.