firewalld --ipset questions

Support for security such as Firewalls and securing linux
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

firewalld --ipset questions

Post by lightman47 » 2018/08/10 23:25:59

1. I have acquired a list of cidr ip's for a couple if countries who like to keep trying to break in. I've created and implemented my 'networkblock' ipset. To see if it would work, I began (cli) to type in entries {sudo firewall-cmd --ipset=networkblock --add-entry=1.1.9.0/24} for about 8-10 of them and then doing reloads. All was successful. The first question, after finding out that this list contains over 35000 addresses, is: Are these 35000+ addresses likely to choke my system if they are all entered? If so, then don't bother with question 2.

2. Because I am so terrible with redirection and piping, is there a simple way way to redirect/pipe all these '--add-entry=' addresses from the .txt file I have containing them (one per line)? If not, I suppose I could write a script to iterate through it, but a shorter method would be appreciated.

Thank you.

EDIT ===============================

Ignore #2 - I have a script that extracts the IPs. My worry now is #1 - will ipsetting 35000+ addresses cause the system harm when I turn the script loose on my server?

Thx

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewalld --ipset questions

Post by lightman47 » 2018/08/11 21:52:09

Nevermind - after seeing there was a 'remove-entry=' my impatience decided to go for it. The script is about 200 into the list currently; we'll see what happens. It ought to be interesting when it gets to the "--reload" at the bottom !

Thx.
-----------------------------
just did the math (about an hour in) - about 10 more hours to go before it gets to the reload -
having second thoughts ...

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewalld --ipset questions

Post by lightman47 » 2018/08/14 14:32:51

Lessons learned:

No problem with the procedure. The dream was to cut down on the attempts to my system, especially from two countries that hammered me routinely. That goal was pretty much achieved. Unfortunately, the number of attempts hasn't really diminished at all - they're just now coming from mostly random other countries, some of whom I've never heard of. All in all it was a good exercise I suppose, but could be considered essentially futile.

:lol:

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld --ipset questions

Post by TrevorH » 2018/08/14 14:35:21

Might be easier to do the opposite and have an ipset containing the CIDR subnets belonging to your country.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: firewalld --ipset questions

Post by lightman47 » 2018/08/14 15:00:43

... and yours / several others ...
heh
Actually, with more thought, you're correct. I only need to consider those who'd be accessing the services my server is running - and they'd all be "here".

Nice!

Post Reply