HI All - I created a /etc/firewalld/direct.xml file and put in it :
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4" table="raw"
chain="blacklist"/>
<rule ipv="ipv4" table="raw"
chain="PREROUTING" priority="0">-s
192.168.1.8 -j blacklist</rule>
</direct>
I rebooted, so then from the 192.168.1.8 machine I tried to ping the
machine. I responds.
I was expecting it not to respond?
What do I not have right with the direct.xml file ?
Thanks
Jerry
it looks like it does work - it just takes a REAL long time to load with "many" entries in the file. iptables was never slow. firewalld seems inefficient. I was able to add the line - restart the firewall, (wait) - see my packets dropped - remove the line - restart the firewall (wait) and able to ping again. I thought this "Direct.xml" file would be the fastest way for firewalld - but there is multi-minute wait to restart. I have about 14000 entries. Jerry
On 24/03/2020 18:26, Jerry Geis wrote:> it looks like it does work - it just takes a REAL long time to load with > "many" entries in the file. > iptables was never slow. firewalld seems inefficient. > > I was able to add the line - restart the firewall, (wait) - see my packets > dropped - remove the line - > restart the firewall (wait) and able to ping again. > > I thought this "Direct.xml" file would be the fastest way for firewalld - > but there is multi-minute wait to restart. I have about 14000 entries. >I would think ipset would be a more suitable tool for the task in hand which can do the task instantly if you create and update a copy of your set and then swap the sets.