firewalld: update timeout of an ipset entry

alvarolm

New Member
Joined
Apr 5, 2020
Messages
1
Reaction score
0
Credits
0
I have been trying to figure out how to update the timeout of an ipset entry, with no luck so far, when using native ipset I would just simply use:

$ ipset add foo 192.168.0.5 timeout N -exist

but firewalld doesn't seems to implement this feature according to the manual (man), which is a pretty useful and common.
ip2ban seems to bypass firewalld ipset implmentation and just use it natively, so have I tried but with no success:

ipset creation:
$ ipset create foo hash:ip timeout 300

direct rule:
$ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT

ipset add:
$ ipset add foo 192.120.11.1

https requests and ssh connection attemp are dropped with no route to host.
as soon as I disable firewalld i can succeffule send request and connecto to ssh.

* I'm using the default zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

$ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT

what I'm doing wrong, is this possible with firewalld?

thanks in advance
 
Last edited:

Staff online


Top