How to create trap with Firewalld

Question

I'd like to set up the following logic using firewalld

When a host attempts to access the server from the internet on port 22:
1. DROP and
2. add their IP to an ipset called "trap" (with 24 hour timeout)
When a host whose IP is on the "trap" list attempts to connect to any port: DROP.

I've read many doc pages but can't see how to implement 1.2 above.

@AlexD yes, not a bad idea, thanks. – artfulrobot Aug 11 '23 at 12:07 — artfulrobot, Aug 11 '23 at 12:07

score 2 · Accepted Answer · answered Aug 01 '23 at 08:28

firewalld supports ipsets and you specify the 24 hour timeout (86400 seconds) when setting up that ipset:

firewall-cmd --permanent --new-ipset=trap --type=hash:ip --option=timeout=86400
firewall-cmd --reload

In native net-filter / iptables the logic and ordering of the necessary rules would be:

# Block all traffic from IP-addresses in the trap ipset 
# (with REJECT to facilitate debugging) 

iptables -I INPUT 1 -m set  --match-set trap src -j REJECT 

# Add all IP-addresses to that connect to TCP port 22 to the trap ipset
# (the --timeout value is only necessary when different from the default for the ipset) 

iptables -I INPUT 2 -p tcp  -m tcp --dport 22  -m set  --add-set trap src --timeout 86400 -j SET 

# Reject access access to TCP port 22 for everybody

iptables -I INPUT 3 -p tcp -m tcp --dport 22 -j REJECT

Translating that to native firewalld / firewall-cmd rules/structures is bit beyond me at the moment, but adding the rules 1 & 2 as direct rules should be easy enough.

You should be able to get display entries in the trap list with:

 firewall-cmd --permanent --ipset=trap  --get-entries

Ah ok, thanks, so firewalld doesn't have a facility for this. I'm migrating from firehol (which does). — artfulrobot, Aug 11 '23 at 12:07

How to create trap with Firewalld

1 Answers1