Remove unused firewall-cmd commands and create ipsets using ipset com…

…mand
NethServer · Mar 19, 2024 · 9852021 · 9852021
1 parent 97968c4
commit 9852021
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/imageroot/actions/destroy-module/60remove-firewalld-configuration b/imageroot/actions/destroy-module/60remove-firewalld-configuration
@@ -8,8 +8,8 @@
 exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 
 echo "Remove ipset firewall rules"
-firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists
-firewall-cmd --permanent --delete-ipset=crowdsec-blacklists
+#firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists
+#firewall-cmd --permanent --delete-ipset=crowdsec-blacklists
 firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source ipset="crowdsec-blacklists" drop'
 firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv6" source ipset="crowdsec6-blacklists" drop'
 # remove our systemd unit override fragment

diff --git a/imageroot/bin/firewall-rules b/imageroot/bin/firewall-rules
@@ -7,14 +7,16 @@
 
 action=$1
 if [[ $action == 'create-ipset' ]]; then
-    if [[ ! -f /etc/firewalld/ipsets/crowdsec-blacklists.xml ]]; then
-        firewall-cmd --permanent --new-ipset=crowdsec-blacklists --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+    #if [[ ! -f /etc/firewalld/ipsets/crowdsec-blacklists.xml ]]; then
+        #firewall-cmd --permanent --new-ipset=crowdsec-blacklists --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+        ipset create crowdsec-blacklists hash:ip timeout 0 maxelem 150000
         firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source ipset="crowdsec-blacklists" drop'
-    fi
-    if [[ ! -f  /etc/firewalld/ipsets/crowdsec6-blacklists.xml ]]; then
-        firewall-cmd --permanent --new-ipset=crowdsec6-blacklists --option=family=inet6 --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+    #fi
+    #if [[ ! -f  /etc/firewalld/ipsets/crowdsec6-blacklists.xml ]]; then
+        #firewall-cmd --permanent --new-ipset=crowdsec6-blacklists --option=family=inet6 --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+        ipset create crowdsec-blacklists6 hash:ip family inet6 timeout 0 maxelem 150000
         firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source ipset="crowdsec6-blacklists" drop'
-    fi
+    #fi
     firewall-cmd --reload
 fi
 # elif [[ $action == 'add-rule' ]]; then