fierewalld で ipset を用いる手続きをメモしておいた

September 10, 2017 – 3:47 pm

現在、我がサーバはScientific Linux 7.3上で動作している(更新ログ情報)。このバージョン以降、ipsetがfirewalldと連携して動作可能になり、ipsetを活用したファイアウォールの構築が容易になった。

このポストでは、個人的な備忘録として、firewalld で ipsetを用いる際の手続きをメモしておいた。

ipsetユーティリティについてRHEL7 のマニュアルで次のように説明されている:



ipsetの作成とfirewalld zone drop への登録手続き


firewall-cmd --permanent --new-ipset=blacklist --type=hash:net

これにより /etc/firewalld/ipsets に blacklist.xmlファイルが以下のように作成される


<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">


firewall-cmd --permanent --reload

ipset blacklist に複数のipaddressを登録する

firewall-cmd --permanent --ipset=ipset_sample --add-entry=
firewall-cmd --permanent --ipset=ipset_sample --add-entry=
firewall-cmd --permanent --ipset=ipset_sample --add-entry=

これは、/etc/firewalld/ipsets に blacklist.xmlファイルに以下のように反映される


<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">



sample-fileに記述されているipアドレスを以下の要領で blacklistに登録する

firewall-cmd --permanent --ipset=ipset_sample --add-entries-from-file=sample-file

/etc/firewalld/ipsets に blacklist.xmlファイルに以下のように反映される


<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">


ここで作成したipset blacklistを、以下のコマンドで、firewalldのzone dropに登録することにより、ipset blacklistに登録されているアドレスを一括してブロックすることができる。

firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist

これにより、/etc/firewalld/zone/drop.xml は以下のようになる


<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
  <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <source ipset="blacklist"/>


firewall-cmd --reload

firewall-cmd のman を関連個所以下にアップしておいた:

       firewall-cmd - firewalld command line client

       firewall-cmd [OPTIONS...]

       For sequence options, this are the options that can be specified multiple times, the exit code is 0 if there is at least one
       item that succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16) errors are treated as succeeded.
       If there are issues while parsing the items, then these are treated as warnings and will not change the result as long as there
       is a succeeded one. Without any succeeded item, the exit code will depend on the error codes. If there is exactly one error
       code, then this is used. If there are more than one then UNKNOWN_ERROR (254) will be used.

   General Options
       -h, --help
           Prints a short help text and exits.

       -V, --version
           Print the version string of firewalld. This option is not combinable with other options.

       -q, --quiet
           Do not print status messages.

   Status Options
           Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, NOT_RUNNING otherwise
           (see the section called “EXIT CODES”). This will also print the state to STDOUT.

           Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration,
           i.e. all runtime only changes done until reload are lost with reload if they have not been also in permanent configuration.

           Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because
           state information is lost. This option should only be used in case of severe firewall problems. For example if there are
           state information problems that no connection can be established with correct firewall rules.

           Save active runtime configuration and overwrite permanent configuration with it. The way this is supposed to work is that
           when configuring firewalld you do runtime changes only and once you're happy with the configuration and you tested that it
           works the way you want, you save the configuration to disk.

           Print the log denied setting.

           Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also
           final reject and drop rules in zones for the configured link-layer packet type. The possible values are: all, unicast,
           broadcast, multicast and off. The default setting is off, which disables the logging.

           This is a runtime and permanent change and will also reload the firewall to be able to add the logging rules.

      ( 省 略 )

   Options to Handle Bindings of Sources

       Binding a source to a zone means that this zone settings will be used to restrict traffic
       from this source.

       A source address or address range is either an IP address or a network IP address with a
       mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the
       mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use
       of host names is not supported.

       Options in this section affect only one particular zone. If used with --zone=zone option,
       they affect the zone zone. If the option is omitted, they affect default zone (see

       For a list of predefined zones use firewall-cmd [--permanent] --get-zones.

       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
           Bind the source to zone zone. If zone is omitted, default zone will be used.

       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
           Change zone the source is bound to to zone zone. It's basically --remove-source
           followed by --add-source. If the source has not been bound to a zone before, it
           behaves like --add-source. If zone is omitted, default zone will be used.

       [--permanent] [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
           Query whether the source is bound to the zone zone. Returns 0 if true, 1 otherwise.

       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
           Remove binding of the source from zone it was previously added to.

   IPSet Options
       --permanent --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
           Add a new permanent and empty ipset with specifying the type and optional options.

       --permanent --new-ipset-from-file=filename [--name=ipset]
           Add a new permanent ipset from a prepared ipset file with an optional name override.

       --permanent --delete-ipset=ipset
           Delete an existing permanent ipset.

       --permanent --load-ipset-defaults=ipset
           Load ipset default settings or report NO_DEFAULTS error.

       [--permanent] --info-ipset=ipset
           Print information about the ipset ipset. The output format is:

                 type: type
                 options: option1[=value1] ..
                 entries: entry1 ..

       [--permanent] --get-ipsets
           Print predefined ipsets as a space separated list.

       --permanent --ipset=ipset --set-description=description
           Set new description to ipset

       --permanent --ipset=ipset --get-description
           Print description for ipset

       --permanent --ipset=ipset --set-short=description
           Set short description to ipset

       --permanent --ipset=ipset --get-short
           Print short description for ipset

       [--permanent] --ipset=ipset --add-entry=entry
           Add a new entry to the ipset.

       [--permanent] --ipset=ipset --remove-entry=entry
           Remove an entry from the ipset.

       [--permanent] --ipset=ipset --query-entry=entry
           Return whether the entry has been added to an ipset. Returns 0 if true, 1 otherwise.

       [--permanent] --ipset=ipset --get-entries
           List all entries of the ipset.

       [--permanent] --ipset=ipset --add-entries-from-file=filename
           Add a new entries to the ipset from the file. For all entries that are listed in the file but
           already in the ipset, a warning will be printed.

           The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
           Also empty lines.

       [--permanent] --ipset=ipset --remove-entries-from-file=filename
           Remove existing entries from the ipset from the file. For all entries that are listed in the
           file but not in the ipset, a warning will be printed.

           The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
           Also empty lines.


RHEL7: How to get started with Firewalld.

Post a Comment