Thorsten Schubert writes:
To fix this, a direct rule inside the *raw* table for matching the ipset should suffice. I did some testing this time and came up with the following: firewall-cmd --permanent --new-ipset=test --type=hash:ip --option=family=inet firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 0 -m set --match-set test src -j DROP firewall-cmd --reload
Rather than a --reload, I reran it without the --permanent flag, due to fail2ban also dropping its own firewall rules, on the fly.
Also, a hash::net ipset will be better, giving an option to drop an entire subnet.
Attachment:
pgpncPNSMdFWA.pgp
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
