Firewalld and IPSet issue

Today I thought I’d have a play around with firewalld, specifically geoblocking.

I downloaded a a range of addresses…

cd Downloads
tar -vxzf all-zones.tar.gz

I created a new IP set called blacklist from the Firewall Applet and attempted to add entried from file. Unforunately this just causes the filewall process to ramp up to 100% and after 15 minutes I decided to kill the process.

Assuming this to be a bug I decided to add the files manually using…

firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./

This worked pretty much instantly.
Now I wanted to create a rich rule in my ‘home’ zone that would drop anything in the ipset called blacklist so I used…

Sudo firewall-cmd --permanent --zone=home --add-rich-rule='rule source ipset=blacklist drop'

sudo firewall-cmd –reload

sudo systemctl restart firewalld

To test this I used

The browser was able to access it still!

dig +short

I looked in the ipset called blacklist to see if the range was covered and it does have the entry which covers the range mentioned above.


I stil get a ping response.

I can also still access the website.

So I checked the active zones which look good…

sudo firewall-cmd --get-active-zones

interfaces: enp4s0
sources: ipset:blacklist

sudo firewall-cmd --zone=home --list-all
home (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0
sources: ipset:blacklist
services: dhcpv6-client mdns samba-client ssh
forward: yes
masquerade: no
rich rules:
rule source ipset=“blacklist” drop

This is very strange. Not sure what I’ve done wrong so if anyone has any ideas please shout em my way :-).

Have you tried inverting that rule?

Hi dalto, yes, it made no difference. Just to be certain I’ll do it again and restart firewalld.

Just tested with inverted and it still lets me ping that address and access the site in the browser.

firewalld service appears to start fine

sudo journalctl -u firewalld.service

Mar 31 16:58:55 promootheus-PCL systemd[1]: firewalld.service: Consumed 2.788s CPU time.
Mar 31 16:59:07 promootheus-PCL systemd[1]: Starting firewalld - dynamic firewall daemon…
Mar 31 16:59:07 promootheus-PCL systemd[1]: Started firewalld - dynamic firewall daemon.

Just created a new rich rule for that range then restarted firewalld. Still not blocked.

Maybe its connecting through ipv6. just something to check

and if possible you could try ASN block. i am not sure firewalld supports this.

1 Like

Hi Monk, doing a ping to the IP gives a response, something I would have expected to be blocked, and it responds with an IPv4 address, as does dig, so I’m convinced I’m missing something probably obvious to everyone else.

Thanks for the tip about ASN blocks. It’s something I will make the effort to learn about, right now I’m scratching my head about the basic Rich Rule I configured above wondering what I could be missing.

Just in case anyone else has the issue where Right Clicking on the firewall-applet and selecting Change Zones of Connection give a NetworkManager error, I fixed it with…

yay -S nm-connection-editor

Looks like something was missing out-of-the-box for this bit to work.

the thing is firewalld doesn’t block any outgoing like that

see this:

1 Like

According to your post:

sudo firewall-cmd –reload

This would cause an error.

It should be:

sudo firewall-cmd --reload

Also you wrote:

firewalld service appears to start fine

sudo journalctl -u firewalld.service

That will not tell you if firewalld is in a failed state. Only that the service is running. To see that firewalld is not in a failed state:

sudo firewall-cmd --state

Also see the link @monk posted. (Click on the purple text.)

Hope this helps :slight_smile:

1 Like