FDS

What is FDS ?

Firewall management is often a task that you do once at the time of setting up a server. But if you’re maintaining a server like a PRO, you are monitoring logs, and blocking malicious users as they come, on a regular basis.

FirewallD is a great firewall software. It has the concepts of zones, sources, and supports IP sets. However, its client app, firewall-cmd is far from user-friendly when it comes to blocking and managing blocked IP addresses. Furthermore, if you also use Cloudflare firewall, you also want to propagate your blocked IP addresses to it for best protection.

fds is the CLI client for FirewallD/Cloudflare, that you’ll love to use any day. It is an alternative, client for FirewallD.

Use it for simple or complex banning tasks, instead of firewall-cmd.

Look how simple things are with fds:

fds block <country name>
fds block 1.2.3.4

It makes the task of managing your FirewallD easy and human-friendly.

Installation on CentOS/RHEL 7, 8

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install fds

What fds can do

The fds is utility program for users of FirewallD. It is a helper to easily perform day-to-day firewall tasks:

  • block users of Tor
  • block countries
  • block arbitrary IP addresses
  • block the same over at Cloudflare

Integrations

By default, fds only operates with FirewallD.

To enable Cloudflare integration, run:

fds config

Block Tor

You can block all Tor exit nodes by running:

fds block tor

Note that since these addresses constantly change, you may want to run this command in a cron.

Ban a single IP

fds block 1.2.3.4

This blocks IP address in a proper(©) fashion by ensuring that the IP is in a set named networkblock4, that the set is a source to FirewallD’s drop zone. Using IP sets is the corner stone of consistent firewall management!

Ban a country or a continent

fds block <Country Name>
fds block China
fds block Asia

You can list all country names available for blocking by running:

fds list countries

You can list all continents available for blocking by running:

fds list continents

--no-reload (-nr)

Use this optional flag to prevent FirewallD from being reloaded. This is only useful when adding multiple blocks, as it ensure faster blocking:

fds block 1.2.3.4 --no-reload
fds block 2.3.4.5 --no-reload
fds block Country1 --no-reload
...
fds block Country2

In the above example, we block some IP addresses and a few countries. The last block operation will reload FirewallD and actually apply our ban.

Alternatively, invoke all fds block with --no-reload option and invoke firewall-cmd --reload in the end.

List all blocked networks and countries

The following allows to easily see what is blocked:

fds list blocked

Unblock a country or IP/network

Use fds unblock ... like the following:

fds unblock China
fds unblock 1.2.3.4

Reset all bans

You can quickly remove all blocks (and by that, all IP sets associated with fds):

fds reset

Remove the Extras after installation, if you disable that part if no intention to subscribe (fds can be installed without it):

sudo yum-config-manager --disable getpagespeed-extras

Ban Them!

Initial Setup

Let’s get started and create our ipset which will contain all the IP networks we want to block:

firewall-cmd --permanent --new-ipset=networkblock --type=hash:net --option=maxelem=1000000 --option=family=inet --option=hashsize=4096

Next, we add our ipset to the drop firewall zone:

firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock

Apply all the changes now with:

firewall-cmd --reload

Bulk Blocking many IP addresses:

If you have a list of IP addresses to block (text file, each IP on a separate line), you can easily import that to your block list:

firewall-cmd --permanent --ipset=networkblock --add-entries-from-file=/path/to/blocklist.txt
firewall-cmd --reload

So that the changes also take effect, the following command must always be carried out:

firewall-cmd --reload
success

Output must be „success“ !

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Back To Top