Once the above commands failed, I looked under /etc/firewalld/ipsets and /usr/lib/firewalld/ipsets but found no files other than a README in the latter, which contains “Location for built-in ipsets”. This is very confusing and needs documentation and clarification.
You can easily define them in firewall-config: configuration:permanent, upper tabrow IPsets. You need to use options/reload firewalld in order to have ipsets displayed in firewall-cmd without --permanent option.
Yes, this is the nature of my question: why does --info-ipset does not show information about the names of defined ipsets shown by --get-ipset-types, as demonstrated by the code in my question.
I probably did not understand the technical lingo in your reply, me not being an expert on firewalld. Could you explain in more detail, why when I enter --info-ipset with one of the entries shown by --get-ipset-types the former throws errors and does not show corresponding information?
And what does it mean, in your reply, that
If there are no predefined ipsets available then --get-ipset-types should not show any entries. Should it? What am I missing? It is probably the part where you have obtained the value of testmac from some source unknown to me. Why in your reply it is testmac and not one of hash:ip etc? Care to show your --get-ipset-types, so that I understand where you are coming from?
An IPset is a named list of items, stored as XML file in /etc/firewalld/ipsets.
An IPset can store items of a given type. Example type is hash:ip. Here you can store a list of ip addresses, e.g. ip addresses of hackers trying to access your machine.
The list of possible types is obtained by firewall-cmd --get-ipset-types.
The list of available ipsets can be obtained by firewall-cmd --permanent --get-ipsets
Because there are no ipsets delivered with the system, there will be no output.
Example: you know 4.4.4.4 and 5.5.5.5 are spamming your SSH with connection attempts.
Create a ipset:
firewall-cmd --permanent --new-ipset=toblock --type=hash:ip
Add the ip’s
firewall-cmd --permanent --ipset=toblock --add-entry 4.4.4.4
firewall-cmd --permanent --ipset=toblock --add-entry 5.5.5.5
Block the ip’s by adding the ipset to the block zone
firewall-cmd --permanent --zone-block --add-source=ipset:toblock
Get the ipsets created on the system:
firewall-cmd --permanent --get-ipsets
ipsettest toblock
Show the contents of the toblock ipset:
firewall-cmd --permanent --info-ipset toblock
toblock
type: hash:ip
options:
entries: 4.4.4.4 5.5.5.5
If you want to block 4.4.4.4 and 5.5.5.5 SSH access but allow access to e.g. the webserver, you can create a ipset with type hash:ip,port.
Instead of only the ip address, you have to enter ipaddress,22