Firewalld ipsets weirdness

According to Documentation - Manual Pages - firewall-cmd | firewalld the below commands are supposed to display information about IP sets.

I successfully get a list of IP sets. But no details about any of them is displayed, contrary to the link above.

Can you please take a look and see why the last 2 commands do not work? Is this intentional? Is Fedora firewalld not built with IP set support?

# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# firewall-cmd --info-ipset hash:ip
Error: INVALID_IPSET: hash:ip
# firewall-cmd --info-ipset hash:net,port,net
Error: INVALID_IPSET: hash:net,port,net

Once the above commands failed, I looked under /etc/firewalld/ipsets and /usr/lib/firewalld/ipsets but found no files other than a README in the latter, which contains “Location for built-in ipsets”. This is very confusing and needs documentation and clarification.


Hi habono,

The argument to --info-ipset is the name of a defined ipset, which has a type of one of the types shown by --get-ipset-types.

firewall-cmd --info-ipset testmac
type: hash:mac
entries: 00:01:02:03:04:05 00:10:20:30:40:50

Indeed there are no predefined ipsets available.

You can easily define them in firewall-config: configuration:permanent, upper tabrow IPsets. You need to use options/reload firewalld in order to have ipsets displayed in firewall-cmd without --permanent option.

Yes, this is the nature of my question: why does --info-ipset does not show information about the names of defined ipsets shown by --get-ipset-types, as demonstrated by the code in my question.

I probably did not understand the technical lingo in your reply, me not being an expert on firewalld. Could you explain in more detail, why when I enter --info-ipset with one of the entries shown by --get-ipset-types the former throws errors and does not show corresponding information?

And what does it mean, in your reply, that

If there are no predefined ipsets available then --get-ipset-types should not show any entries. Should it? What am I missing? It is probably the part where you have obtained the value of testmac from some source unknown to me. Why in your reply it is testmac and not one of hash:ip etc? Care to show your --get-ipset-types, so that I understand where you are coming from?

I think there is a bit of confusion.

An IPset is a named list of items, stored as XML file in /etc/firewalld/ipsets.

An IPset can store items of a given type. Example type is hash:ip. Here you can store a list of ip addresses, e.g. ip addresses of hackers trying to access your machine.

The list of possible types is obtained by firewall-cmd --get-ipset-types.

The list of available ipsets can be obtained by firewall-cmd --permanent --get-ipsets
Because there are no ipsets delivered with the system, there will be no output.

Example: you know and are spamming your SSH with connection attempts.

Create a ipset:
firewall-cmd --permanent --new-ipset=toblock --type=hash:ip
Add the ip’s
firewall-cmd --permanent --ipset=toblock --add-entry
firewall-cmd --permanent --ipset=toblock --add-entry
Block the ip’s by adding the ipset to the block zone
firewall-cmd --permanent --zone-block --add-source=ipset:toblock

Get the ipsets created on the system:
firewall-cmd --permanent --get-ipsets
ipsettest toblock

Show the contents of the toblock ipset:
firewall-cmd --permanent --info-ipset toblock
type: hash:ip

If you want to block and SSH access but allow access to e.g. the webserver, you can create a ipset with type hash:ip,port.
Instead of only the ip address, you have to enter ipaddress,22

Hope this helps!

Then what is the command that outputs a list of available IP sets if --get-ipset-types is not it?

firewall-cmd --permanent --get-ipsets

Lacking ipsets in the distribution, you will get no output unless you already defined ipsets.

1 Like

Ipset types is not the same as an ipset.

You can have many types of ipsets available for creation but never have actually created a single defined ipset.