Just to update: the reboot went badly but for a different reason. It appears the match rule resulting from the ipset was applied before any other rules including a specific rule to allow me to ssh to the machine - so I locked myself out. It's a hosted VM and I have no console access so had to get the friend that hosts it to bail me out.
I'm trying a different approach: GeoIP. Following a few sets of instructions I got xt-geoip installed, it shows up in lsmod and modinfo. There are warnings in the logs but several posts suggest they aren't significant: xt_geoip: loading out-of-tree module taints kernel xt_geoip: module verification failed: signature and/or required key missing - tainting kernel The database is present in the directory specified (GEOIPDIR). However: shorewall still complains there is no GeoIP support in the kernel (confirmed by shorewall show capabilities). I do not currently have any /etc/shorewall/capabilities file. If I do the following: iptables -t filter -I Dirty2Fwall 8 -m geoip --src-cc CN -j DROP I get a different error, Could not open /usr/share/xt_geoip/LE/CN.iv4 which is true, I have to sort out why the country files weren't unpacked properly but at least iptables didn't object to the geoip match. Is shorewall just checking the base kernel capabilities without reference to loaded modules? Could I fix that by creating and altering a capabilities file? On Tue, Apr 14, 2020 at 4:34 PM Tom Eastep <teas...@shorewall.net> wrote: > On 4/14/20 3:54 AM, Norman Henderson wrote: > > Thank you Erich, that was the step I missed: dynamic zone. It's working > > OK across shorewall stop/start, I will have to wait until tonight to try > > a reboot. > > > > Tom, I have gone back to SAVE_IPSETS=Yes in shorewall.conf rather than > > using the shorewall-init feature. Is there a reason to use one rather > > than the other? > > If you use an ipset in /etc/shorewall[6]/stoppedrules, then you must use > shorewall-init. Other than that, it is your choice. > > > > > Also, is it OK to add entries using ipset add, which seems to be a lot > > faster than shorewall add ? > > Absolutely. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
