On 10/3/2016 11:58 PM, Nick Howitt wrote: > I don't use frewalld, but can someone please post the command to show > the relevant firewalld rule? The OP has established the ipset set is > being written to so the next piece in the chain is to establish if the > firewalld rule is there. If it is not then he can go searching the logs > and do more troubleshooting.
I'm just starting to learn firewalld, so here's a brain dump of what I know so far. The persistent state of firewalld can be found in /etc/firewalld. Realize that firewalld is a front-end to netfilter, the kernel part of iptables. (You can also install the iptables user space tools in order to review the netfilter tables that firewalld creates.) When we say "iptables", what we really mean is the text representation of the netfilter tables.) This means you can use "iptables -L" or "iptables-save" to view the current state of the filter. The advantage of firewalld is that it allows a higher-level management of netfilter that doesn't require dumping and reloading the whole filter, which means that existing connections on a busy server don't get disrupted when the filter changes. BTW, when using fail2ban with CentOS 5 and 6, I would install a fail2ban-root chain in the INPUT chain and then hang all fail2ban sub-chains from that. That made my filter cleaner as it didn't disrupt my hand-crafted rules in INPUT. firewalld is similar in that it creates a bunch of sub-chains to implement its wealth of rule sets. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
