2

My server uses Centos8 quite recently installed (~1 year).

After trying to ban an IP:

firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop'

My system seams to be corrupt:

# firewall-cmd --reload
Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set blacklist doesn't exist.

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

But the restart of the service works without error messages:

# systemctl restart firewalld

If would like (besides to understand what happened)

  1. Either to restore the old situation (a --remove-rich-rule does not seam to be enough)
  2. or make the banning method work (somehow add a set with ipset?)
PeptideChain
  • 135
  • 6

1 Answers1

0

As documented here we create the blacklist set:

# sudo yum install ipset # was already installed
# sudo ipset create blacklist hash:ip hashsize 4096
# firewall-cmd --reload
success

As pointed out by @MichaelHampto in the comments, the error arrises probably from a previous (partial) attempt to reach the same goal (to block IPs); something like the the following: drop ip blacklist with firewalld centos 7

The solution of the error should be correct but is not related with the rich rules.

PeptideChain
  • 135
  • 6
  • Hmm. The rich rule you referred to doesn't create or reference an ipset `blacklist` (or any ipset). Likely the problem is elsewhere, and only showed up when you reloaded firewalld. – Michael Hampton Jun 14 '20 at 15:25
  • @MichaelHampton, I probably tried something else before using the rich rules to reach the same goal. I edit the answer. – PeptideChain Jun 14 '20 at 15:36