Home / server / Questions / 1021291
In Process
PeptideChain
Asked: 2020-06-14 01:36:33 +0800 CST

firewalld, `--add-rich-rule` and missing blacklist set

  • 772

My server uses Centos8 quite recently installed (~1 year).

After trying to ban an IP:

firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop'

My system seams to be corrupt:

# firewall-cmd --reload
Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set blacklist doesn't exist.

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

But the restart of the service works without error messages:

# systemctl restart firewalld

If would like (besides to understand what happened)

  1. Either to restore the old situation (a --remove-rich-rule does not seam to be enough)
  2. or make the banning method work (somehow add a set with ipset?)
firewall centos centos7 firewalld ipset

1 Answers

  1. As documented here we create the blacklist set:

    # sudo yum install ipset # was already installed
# sudo ipset create blacklist hash:ip hashsize 4096
# firewall-cmd --reload
success

    As pointed out by @MichaelHampto in the comments, the error arrises probably from a previous (partial) attempt to reach the same goal (to block IPs); something like the the following: drop ip blacklist with firewalld centos 7

    The solution of the error should be correct but is not related with the rich rules.

    • 0