According to Documentation - Manual Pages - firewall-cmd | firewalld the below commands are supposed to display information about IP sets.
I successfully get a list of IP sets. But no details about any of them is displayed, contrary to the link above.
Can you please take a look and see why the last 2 commands do not work? Is this intentional? Is Fedora firewalld not built with IP set support?
# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# firewall-cmd --info-ipset hash:ip
Error: INVALID_IPSET: hash:ip
# firewall-cmd --info-ipset hash:net,port,net
Error: INVALID_IPSET: hash:net,port,net
Once the above commands failed, I looked under /etc/firewalld/ipsets and /usr/lib/firewalld/ipsets but found no files other than a README in the latter, which contains “Location for built-in ipsets”. This is very confusing and needs documentation and clarification.
The argument to --info-ipset is the name of a defined ipset, which has a type of one of the types shown by --get-ipset-types.
firewall-cmd --info-ipset testmac
entries: 00:01:02:03:04:05 00:10:20:30:40:50
Indeed there are no predefined ipsets available.
You can easily define them in firewall-config: configuration:permanent, upper tabrow IPsets. You need to use options/reload firewalld in order to have ipsets displayed in firewall-cmd without --permanent option.
Yes, this is the nature of my question: why does --info-ipset does not show information about the names of defined ipsets shown by --get-ipset-types, as demonstrated by the code in my question.
I probably did not understand the technical lingo in your reply, me not being an expert on firewalld. Could you explain in more detail, why when I enter --info-ipset with one of the entries shown by --get-ipset-types the former throws errors and does not show corresponding information?
And what does it mean, in your reply, that
If there are no predefined ipsets available then --get-ipset-types should not show any entries. Should it? What am I missing? It is probably the part where you have obtained the value of testmac from some source unknown to me. Why in your reply it is testmac and not one of hash:ip etc? Care to show your --get-ipset-types, so that I understand where you are coming from?
I think there is a bit of confusion.
An IPset is a named list of items, stored as XML file in /etc/firewalld/ipsets.
An IPset can store items of a given type. Example type is hash:ip. Here you can store a list of ip addresses, e.g. ip addresses of hackers trying to access your machine.
The list of possible types is obtained by firewall-cmd --get-ipset-types.
The list of available ipsets can be obtained by firewall-cmd --permanent --get-ipsets
Because there are no ipsets delivered with the system, there will be no output.
Example: you know 126.96.36.199 and 188.8.131.52 are spamming your SSH with connection attempts.
Create a ipset:
firewall-cmd --permanent --new-ipset=toblock --type=hash:ip
Add the ip’s
firewall-cmd --permanent --ipset=toblock --add-entry 184.108.40.206
firewall-cmd --permanent --ipset=toblock --add-entry 220.127.116.11
Block the ip’s by adding the ipset to the block zone
firewall-cmd --permanent --zone-block --add-source=ipset:toblock
Get the ipsets created on the system:
firewall-cmd --permanent --get-ipsets
Show the contents of the toblock ipset:
firewall-cmd --permanent --info-ipset toblock
entries: 18.104.22.168 22.214.171.124
If you want to block 126.96.36.199 and 188.8.131.52 SSH access but allow access to e.g. the webserver, you can create a ipset with type hash:ip,port.
Instead of only the ip address, you have to enter ipaddress,22
Hope this helps!
Then what is the command that outputs a list of available IP sets if
--get-ipset-types is not it?
firewall-cmd --permanent --get-ipsets
Lacking ipsets in the distribution, you will get no output unless you already defined ipsets.
Ipset types is not the same as an ipset.
You can have many types of ipsets available for creation but never have actually created a single defined ipset.