Differences

This shows you the differences between two versions of the page.

--- firewalld [2019/10/22 08:36] – [Add a direct rule] admin
+++ firewalld [2020/05/17 08:47] (current) – [IPSET] dani
@@ Line 325: / Line 325: @@
 <WRAP center round tip 60%>
-Check, if the rule in that sequence where you expect it (the sequence of rules is very important!)
+Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
 </WRAP>
@@ Line 348: / Line 348: @@
 </code>
+Description (based on ''iptables'' backend):
+<code bash>
+firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)>
+</code>
 ==== Remove a direct rule ====
-To remove a rich rule, the syntax is the same, except ''--remove-rule'':
+To remove a rich rule, the syntax is the same, except '' --remove-rule'':
 <code bash>
@@ Line 372: / Line 377: @@
 =====IPSET=====
+**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!
 To setup a blacklist using ipset, you have to follow this example:
   - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>
-ipset save blockednets > blockednets.ipset
+ipset save blockednets > ipsetsavelist.ipset
-sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create' > blockednets
+sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create' > list
 </code>
   - Create the 'hash:net' ipset hash:<code bash>
@@ Line 386: / Line 393: @@
   - Optionally add additional networks:<code bash>
 firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
-</code>
-  - Optionally check the ipset list:<code bash>
-firewall-cmd --ipset=blockednets --get-entries
 </code>
   - Shows the permanent entries in a ipset:<code bash>