[SOLVED] ipset in bulk

[rolcom]

Hi,

I wanted to use the ipset feature within proxmox firewall, to block/allow certain countries, the thing is the database is huge and I dont think adding manually and updating the list weekly is not the way to go...

I've been looking in the directories, mainly at /etc/pve if I could find the config file or where are the ipset stored, so I can copy there all the IPs...

Anyone knows the best way to add a lot of IPs as ipset in proxmox?


Thanks.

 

[t.lamprecht]

Hi,

I've been looking in the directories, mainly at /etc/pve if I could find the config file or where are the ipset stored, so I can copy there all the IPs...

The most relevant directory is: /etc/pve/firewall
For cluster wide IP sets: /etc/pve/firewall/cluster.fw
Node definitions are stored in: /etc/pve/nodes/NODENAME/host.fw though

 

[rolcom]

THANKS! I've no idea how I didnt see those files... right what I was looking for, all ipsets are populated now, THAAANKS.

 

[pali]

Hi, I’m thinking about the same thing to use one ipset for several CT. Did you made a script to update the list ? Can you share the way you implemented ist ?

Tanks by advance

 

[esrvr]

For those coming across this old thread from Google, pve-firewall status will recompile cluster.fw and add the new IPset without needing to restart the entire firewall.

 

[MH_MUC]

I would like to reopen this.
I want to add a blocklist with a few thousand domains.
I tried to do it by script

for i in $( cat $BLOCKLIST_FILE ); do $PVESH_PATH create cluster/firewall/ipset/blacklist--cidr $i >>$MAILLOG 2>&1; done

This seems to be quite slow, because its recompiling the firewall every time I add an IP.
Is there a way to include an IPSET in the proxmox firewall or include a list of IPs into the coinfig file of the proxmox firewall?

I'd like to stick to proxmox FW instead of adding my own iptables rules.