Fix when drop is already default zone
Without this no ipsets are blocked Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
ec110afc61
commit
f3a59b48ac
|
@ -11,10 +11,11 @@ Use
|
|||
- Choose the lists you want enabled at the top of scfw3.sh
|
||||
- `$ sudo sh scfw3.sh enable`
|
||||
- `$ sudo sh scfw3.sh disable`
|
||||
- Or place in /etc/cron.daily/0scfw with bottom bits edited to enableforce
|
||||
|
||||
Known Issues
|
||||
------------
|
||||
- You must set FirewallBackend to iptables, see https://github.com/firewalld/firewalld/issues/738
|
||||
- You must set FirewallBackend to iptables for firewalld <1.3.1, see https://github.com/firewalld/firewalld/issues/738
|
||||
|
||||
Credits
|
||||
-------
|
||||
|
|
14
scfw3.sh
14
scfw3.sh
|
@ -43,7 +43,7 @@ importListToFirewall() {
|
|||
firewall-cmd --permanent --delete-ipset="$name" &>/dev/null || true;
|
||||
firewall-cmd --permanent --new-ipset="$name" --type=hash:net --option=maxelem=200000 --option=hashsize=16384 $inet;
|
||||
firewall-cmd --permanent --ipset="$name" --add-entries-from-file="$name".ipset;
|
||||
firewall-cmd --permanent --zone=drop --add-source=ipset:"$name";
|
||||
firewall-cmd --permanent --zone=scfw --add-source=ipset:"$name";
|
||||
unset inet;
|
||||
sleep 2;
|
||||
}
|
||||
|
@ -64,9 +64,16 @@ removeAllowedEntries() {
|
|||
}
|
||||
|
||||
loadLists() {
|
||||
#Remove old lists+zone
|
||||
clearLists;
|
||||
|
||||
#Create the needed directories
|
||||
createWorkDirectory;
|
||||
|
||||
#Setup the zone
|
||||
firewall-cmd --new-zone=scfw --permanent;
|
||||
firewall-cmd --zone=scfw --set-target=DROP --permanent
|
||||
|
||||
for list in "${blockedLists[@]}"
|
||||
do
|
||||
importListToFirewall "$list" "https://iplists.firehol.org/files/$list.netset";
|
||||
|
@ -94,6 +101,11 @@ clearLists() {
|
|||
firewall-cmd --permanent --delete-ipset="country-block-v6-$list" &>/dev/null || true;
|
||||
done;
|
||||
|
||||
#Delete the zone
|
||||
firewall-cmd --delete-zone=scfw --permanent;
|
||||
|
||||
#Reload to apply
|
||||
firewall-cmd --reload;
|
||||
echo "[SCFW3] Unloaded";
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue