I have 2 ipsets: friends (allow-list) and enemies (block-list).
My default zone (public) DROPs all traffic, except certain services (e.g. http).
I have edited the block zone that comes shipped with firewalld to add ipset:enemies as a source.
firewall-cmd --permanent --new-ipset=enemies --type='hash:net'
firewall-cmd --permanent --zone=drop --add-source=ipset:enemies
Firewalld looks at zones alphabetically, and block comes before public, so will be considered first.
If the source IP matches, it will be DROP it. Fine.
But I want to also have a friends list that includes addresses that should never be blocked. So I was thinking that I need something like:
firewall-cmd --permanent --zone=drop --add-source=NOT ipset:friends
Things I've tried.
I thought the answer might be 'Rich rules' since you can specify NOT for source in those. But I could not figure out what 'element' or 'action' should be.
Answers I've read on blogs etc. suggest creating new zone, e.g. a_zone_before_block with --add-source=ipset:friends and --set-target=ACCEPT. However, I don't want to blanket ACCEPT traffic from this allow-list; I still want it to use the rules in my public zone.
I could fix this problem by duplicating all the details from public into the a_zone_before_block but adding source=ipset:friends, but this feels messy - with duplication comes the problem that the two are not in sync. So I'm hoping there's a better way.
So what I'm after is either:
a way to say that traffic should be put in the block zone if its source is in ipset:enemies unless its source is in ipset:friends.
OR
a way to say if the traffic is in the block zone but its source is in ipset:friends then change the zone to public
OR
a way to create a zone 000_first that matches ipset:friends and if it matches, it passes onto public, skipping the 2nd zone block.
OR
a way to use inheritance in zone declarations.
