firehol-ipset - configure ipsets
ipset command name options
FireHOL has an
ipset helper. It is a wrapper around the real
ipset command and is handled internally within FireHOL in such a way so that the ipset collections defined in the configuration will be activated before activating the firewall.
FireHOL is also smart enough to restore the ipsets after a reboot, before it restores the firewall, so that everything will work as seamlessly as possible.
ipset helper has the same syntax with the real
ipset command. So in FireHOL you just add the
ipset statements you need, and FireHOL will do the rest.
Keep in mind that each
ipset collection is either IPv4 or IPv6. In FireHOL prefix
ipset with either
ipv6 and FireHOL will choose the right IP version (there is also
Also, do not add
-! to ipset statements given in
firehol.conf. FireHOL will batch import all ipsets and this option is not needed.
The features below are extensions of
ipset that can only be used from within
firehol.conf. They will not work on a terminal.
The FireHOL helper allows mass import of ipset collections from files. This is done with
ipset addfile command.
ipset addfile command will get a filename, remove all comments (anything after a
# on the same line), trim any empty lines and spaces, and add all the remaining lines to
ipset, as if each line of the file was run with
ipset add COLLECTION_NAME IP_FROM_FILE [other options].
The syntax of the
ipset addfile command is:
ipset addfile *name* [ip|net] *filename* [*other ipset add options*]
name is the collection to add the IPs.
ip is optional and will select all the lines of the file that do not contain a
net is optional and will select all the lines of the file that contain a
filename is the filename to read. You can give absolute filenames and relative filenames (to
other ipset add options is whatever else
ipset add supports, that you are willing to give for each line.
ipset add command implemented in FireHOL also allows you to give multiple IPs separated by comma or enclosed in quotes and separated by space.
ipv4 ipset create badguys hash:ip ipv4 ipset add badguys 184.108.40.206 ipv4 ipset addfile badguys file-with-the-bad-guys-ips.txt ... ipv4 blacklist full ipset:badguys # example with multiple IPs ipv4 ipset create badguys hash:ip ipv4 ipset add badguys 220.127.116.11,18.104.22.168,22.214.171.124 # << comma separated ipv4 ipset add badguys "126.96.36.199 188.8.131.52" # << space separated in quotes
ipsets with IP Lists for abuse, malware, attacks, proxies, anonymizers, etc can be downloaded with the contrib/update-ipsets.sh script. Information about the supported ipsets can be found at FireHOL IP Lists