Update firewall rules for crowdsec-blacklists and crowdsec6-blacklists

NethServer · Mar 19, 2024 · 6fbf080 · 6fbf080
1 parent 5beecb1
commit 6fbf080
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/imageroot/actions/create-module/50start-bouncer b/imageroot/actions/create-module/50start-bouncer
@@ -19,8 +19,8 @@ After=${MODULE_ID}.service
 Restart=always
 ExecStartPre=
 ExecStartPre=runagent -m ${MODULE_ID} firewall-rules create-ipset
-ExecStartPre=runagent -m ${MODULE_ID} firewall-rules add-rule
-ExecStopPost=runagent -m ${MODULE_ID} firewall-rules remove-rule
+#ExecStartPre=runagent -m ${MODULE_ID} firewall-rules add-rule
+#ExecStopPost=runagent -m ${MODULE_ID} firewall-rules remove-rule
 EOF
 mkdir -vp /etc/systemd/system/crowdsec-firewall-bouncer.service.d/
 install -v -m 644 "${tmpfile}" "/etc/systemd/system/crowdsec-firewall-bouncer.service.d/${MODULE_ID}-override.conf"

diff --git a/imageroot/actions/destroy-module/60remove-firewalld-configuration b/imageroot/actions/destroy-module/60remove-firewalld-configuration
@@ -10,7 +10,8 @@ exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 echo "Remove ipset firewall rules"
 firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists
 firewall-cmd --permanent --delete-ipset=crowdsec-blacklists
-
+firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source ipset="crowdsec-blacklists" drop'
+firewall-cmd --permanent --remove-rich-rule='rule family="ipv6" source ipset="crowdsec6-blacklists" drop'
 # remove our systemd unit override fragment
 rm -rvf "/etc/systemd/system/crowdsec-firewall-bouncer.service.d"
 systemctl daemon-reload

diff --git a/imageroot/bin/firewall-rules b/imageroot/bin/firewall-rules
@@ -9,17 +9,20 @@ action=$1
 if [[ $action == 'create-ipset' ]]; then
     if [[ ! -f /etc/firewalld/ipsets/crowdsec-blacklists.xml ]]; then
         firewall-cmd --permanent --new-ipset=crowdsec-blacklists --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+        firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source ipset="crowdsec-blacklists" drop'
     fi
     if [[ ! -f  /etc/firewalld/ipsets/crowdsec6-blacklists.xml ]]; then
         firewall-cmd --permanent --new-ipset=crowdsec6-blacklists --option=family=inet6 --type=hash:ip --option="timeout=0" --option="maxelem=150000"
+        firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source ipset="crowdsec6-blacklists" drop'
     fi
     firewall-cmd --reload
-elif [[ $action == 'add-rule' ]]; then
-    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m set --match-set crowdsec-blacklists src -j DROP
-    firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p all -m set --match-set crowdsec6-blacklists src -j DROP
-elif [[ $action == 'remove-rule' ]]; then
-    firewall-cmd --direct --remove-rule ipv4 filter INPUT 0  -p all -m set --match-set crowdsec-blacklists src -j DROP
-    firewall-cmd --direct --remove-rule ipv6 filter INPUT 0  -p all -m set --match-set crowdsec6-blacklists src -j DROP
-else
-        echo 'No actions to do in firewall for crowdsec-firewall-bouncer.service'
 fi
+# elif [[ $action == 'add-rule' ]]; then
+#     firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m set --match-set crowdsec-blacklists src -j DROP
+#     firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p all -m set --match-set crowdsec6-blacklists src -j DROP
+# elif [[ $action == 'remove-rule' ]]; then
+#     firewall-cmd --direct --remove-rule ipv4 filter INPUT 0  -p all -m set --match-set crowdsec-blacklists src -j DROP
+#     firewall-cmd --direct --remove-rule ipv6 filter INPUT 0  -p all -m set --match-set crowdsec6-blacklists src -j DROP
+# else
+#         echo 'No actions to do in firewall for crowdsec-firewall-bouncer.service'
+# fi