Today I thought I’d have a play around with firewalld, specifically geoblocking.
I downloaded a a range of addresses…
tar -vxzf all-zones.tar.gz
I created a new IP set called blacklist from the Firewall Applet and attempted to add entried from file. Unforunately this just causes the filewall process to ramp up to 100% and after 15 minutes I decided to kill the process.
Assuming this to be a bug I decided to add the files manually using…
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./cn.zone
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./ru.zone
This worked pretty much instantly.
Now I wanted to create a rich rule in my ‘home’ zone that would drop anything in the ipset called blacklist so I used…
Sudo firewall-cmd --permanent --zone=home --add-rich-rule='rule source ipset=blacklist drop'
sudo firewall-cmd –reload
sudo systemctl restart firewalld
To test this I used www.chinadaily.com.cn
The browser was able to access it still!
dig www.chinadaily.com.cn +short
I looked in the ipset called blacklist to see if the range was covered and it does have the entry 184.108.40.206/23 which covers the range mentioned above.
I stil get a ping response.
I can also still access the website.
So I checked the active zones which look good…
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=home --list-all
services: dhcpv6-client mdns samba-client ssh
rule source ipset=“blacklist” drop
This is very strange. Not sure what I’ve done wrong so if anyone has any ideas please shout em my way :-).