.\" Automatically generated by Pandoc 2.9.2.1 .nh .\" .TH "firehol-ipset" "5" "Built 28 Feb 2021" "FireHOL Reference" "3.1.7" .hy .SH NAME .PP firehol-ipset - configure ipsets .SH SYNOPSIS .PP ipset \f[I]command\f[R] \f[I]name\f[R] \f[I]options\f[R] .SH DESCRIPTION .PP FireHOL has an \f[C]ipset\f[R] helper. It is a wrapper around the real \f[C]ipset\f[R] command and is handled internally within FireHOL in such a way so that the ipset collections defined in the configuration will be activated before activating the firewall. .PP FireHOL is also smart enough to restore the ipsets after a reboot, before it restores the firewall, so that everything will work as seamlessly as possible. .PP The \f[C]ipset\f[R] helper has the same syntax with the real \f[C]ipset\f[R] command. So in FireHOL you just add the \f[C]ipset\f[R] statements you need, and FireHOL will do the rest. .PP Keep in mind that each \f[C]ipset\f[R] collection is either IPv4 or IPv6. In FireHOL prefix \f[C]ipset\f[R] with either \f[C]ipv4\f[R] or \f[C]ipv6\f[R] and FireHOL will choose the right IP version (there is also \f[C]ipset4\f[R] and \f[C]ipset6\f[R]). .PP Also, do not add \f[C]-!\f[R] to ipset statements given in \f[C]firehol.conf\f[R]. FireHOL will batch import all ipsets and this option is not needed. .SH FireHOL ipset extensions .PP The features below are extensions of \f[C]ipset\f[R] that can only be used from within \f[C]firehol.conf\f[R]. They will not work on a terminal. .PP The FireHOL helper allows mass import of ipset collections from files. This is done with \f[C]ipset addfile\f[R] command. .PP The \f[C]ipset addfile\f[R] command will get a filename, remove all comments (anything after a \f[C]#\f[R] on the same line), trim any empty lines and spaces, and add all the remaining lines to \f[C]ipset\f[R], as if each line of the file was run with \f[C]ipset add COLLECTION_NAME IP_FROM_FILE [other options]\f[R]. .PP The syntax of the \f[C]ipset addfile\f[R] command is: .IP .nf \f[C] ipset addfile *name* [ip|net] *filename* [*other ipset add options*] \f[R] .fi .PP \f[C]name\f[R] is the collection to add the IPs. .PP \f[C]ip\f[R] is optional and will select all the lines of the file that do not contain a \f[C]/\f[R]. .PP \f[C]net\f[R] is optional and will select all the lines of the file that contain a \f[C]/\f[R]. .PP \f[C]filename\f[R] is the filename to read. You can give absolute filenames and relative filenames (to \f[C]/etc/firehol\f[R]). .PP \f[C]other ipset add options\f[R] is whatever else \f[C]ipset add\f[R] supports, that you are willing to give for each line. .PP The \f[C]ipset add\f[R] command implemented in FireHOL also allows you to give multiple IPs separated by comma or enclosed in quotes and separated by space. .SH EXAMPLES .IP .nf \f[C] ipv4 ipset create badguys hash:ip ipv4 ipset add badguys 1.2.3.4 ipv4 ipset addfile badguys file-with-the-bad-guys-ips.txt ... ipv4 blacklist full ipset:badguys # example with multiple IPs ipv4 ipset create badguys hash:ip ipv4 ipset add badguys 1.2.3.4,5.6.7.8,9.10.11.12 # << comma separated ipv4 ipset add badguys \[dq]11.22.33.44 55.66.77.88\[dq] # << space separated in quotes \f[R] .fi .PP ipsets with IP Lists for abuse, malware, attacks, proxies, anonymizers, etc can be downloaded with the contrib/update-ipsets.sh script. Information about the supported ipsets can be found at FireHOL IP Lists (http://iplists.firehol.org/) .SH SEE ALSO .IP \[bu] 2 firehol(1) - FireHOL program .IP \[bu] 2 firehol.conf(5) - FireHOL configuration .IP \[bu] 2 firehol-interface(5) - interface definition .IP \[bu] 2 firehol-router(5) - router definition .IP \[bu] 2 firehol-params(5) - optional rule parameters .IP \[bu] 2 firehol-masquerade(5) - masquerade helper .IP \[bu] 2 FireHOL Website (http://firehol.org/) .IP \[bu] 2 FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) .IP \[bu] 2 FireHOL Online Documentation (http://firehol.org/documentation/) .IP \[bu] 2 FireHOL IP Lists (http://iplists.firehol.org/) .IP \[bu] 2 NAT HOWTO (http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html) .IP \[bu] 2 netfilter flow diagram (http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) .SH AUTHORS FireHOL Team.