2

with firewalld I can make a rule like this: (note the invert="True")

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" invert="True" drop'

and I can specify that for certain sources I need them treated as part of a zone with this:

firewall-cmd --permanent --zone=external  --add-source=ipset:knowns

Is it possible to invert this and say make sure any ip that is not in the ipset is treated as a part of another specified zone? I have had a look at the man page, and I can not find any indication whether this is possible.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
mike-m
  • 525
  • 1
  • 4
  • 11
  • hi, looks like only `ipset` command supports the option `nomatch` while adding entries. firewall-cmd does not allow to add entries using this option. IMHO this is the feature you (and me) would like to have, so we could build zones/ipsets to exclude certain ip ranges (e.g. countries) by only adding those "bad" ranges. – StefanKaerst May 29 '22 at 12:09

1 Answers1

1

you can mimic this behavior by creating an ipset (using firewall-cmd) containing all "bad" IP adresses/ranges. you then add a firewalld zone with this ipset as source only.

# firewall-cmd --permanent --zone=axisofevil --add-source=ipset:roguenations

all traffic with sources of the ipset "roguenations" will have access to all services of the zone "axisofevil". if you don't allow any services at all, no service will be available to those clients.

don't forget to add another zone of type inet6 containing all "bad" IPv6 adresses/ranges.

# firewall-cmd --permanent --new-ipset=roguenations6 --type=hash:net --family=inet6

hint: you can use entire geo IP databases from e.g. https://www.ip2location.com/free/visitor-blocker in CIDR format to be added to the ipset (using firewall-cmd --new-ipset-from-file or --add-entries-from-file .. :)

I suggest to disable "AllowZoneDrifting" which defaults to on.

HTH

StefanKaerst
  • 279
  • 2
  • 7