ipset (firewalld) - how to tell if it is working?

Issues related to configuring your network
Post Reply
lightman47
Posts: 1163
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

ipset (firewalld) - how to tell if it is working?

Post by lightman47 » 2020/05/30 16:39:49

So, using https://access.redhat.com/documentation ... _firewalld, I built an ipset for firewalld named "banned". I used CIDR addresses. Example:

Code: Select all

sudo firewall-cmd --permanent --ipset=banned --add-entry=116.0.0.0/8
.

I perfomed a --reload, and even rebooted the machine to make sure the permanent rules are used.

My direct.xml has:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set "banned" src -j DROP</rule>
</direct>
get-entries reports:

Code: Select all

$ sudo firewall-cmd --permanent --ipset=banned --get-entries
5.182.9.9/16
42.0.0.0/8
186.82.0.0/16
85.0.0.0/8
178.0.0.0/8
68.107.168.0/21
85.209.0.0/16
101.162.0.0/16
95.111.0.0/16
105.0.0.0/8
100.32.0.0/13
100.40.0.0/15
190.0.0.0/8
200.0.0.0/8
185.244.0.0/16
115.0.0.0/8
167.0.0.0/8
193.0.0.0/8
129.0.0.0/8
194.0.0.0/8
83.0.0.0/8
134.0.0.0/8
87.0.0.0/8
37.0.0.0/8
107.172.0.0/14
202.0.0.0/8
82.0.0.0/8
27.0.0.0/8
116.0.0.0/8

How can I tell if it's actually working? If it is, next challenge is to "hook" my (working) fail2ban into it so I don't have to manually add the addresses. ;)
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

lightman47
Posts: 1163
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: ipset (firewalld) - how to tell if it is working?

Post by lightman47 » 2020/06/01 17:10:09

When you eliminate your syntax error in direct.xml (not shown) and restart, your fail2ban 'activity' drops significantly!
8-)

2020-06-04 anecdote

Another fail-safe method is to forget about spoofing, and blindly ban 192.0.0.0/8. After you do the --reload and exit the ssh session, you must visit the machine in person to fix it! :lol:
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

Post Reply

Return to “CentOS 7 - Networking Support”