Add "ipsets" functionality into "firewalld" Webmin GUI

OS type and version: Ubuntu 20.04
Webmin version: 1.994


Are there any plans to bring “ipsets” functionality into the “firewalld” GUI?

Hi, Peter.

That would be a good feature to have but we haven’t planned on adding it yet, as far as I know, right @Jamie?


“Rich Rules” and other features of FirewallD would be useful as well. The current module is pretty limited compared to that of the former “iptables” one. I’m been working through “firewall-cmd” stuff as of late, wrapping my head around it a bit more myself.

As I get a few concepts figured out, I’ll be happy to share what I feel a good “workflow” could be in the GUI and behind the scenes.

What spawned this thread was the need to build “whitelists” and/or “blacklists” on a “per-port” basis. Similar to the way you could specify IPs in the older module as being required for a rule to be true.

It seems the easiest way to put a group of IPs in a rule is by way of “ipsets”. Then specify the “source” as an “ipset” which contains the IPs within it.

*** BTW @Ilia I happened upon the " Domain name style in username" feature in “Virtualmin Configuration” (regex option) – that is “spot on” as I intended it to work and even where I imagined it being configurable in the UI ***

1 Like

This is what Fail2Ban should do. Do you have a need for micromanaging this manually? Perhaps, CSF would be a better choice for that kind of workflow?

:+1: Good to know. Although, I haven’t had a chance for adding a button in UI to generate it in to the custom username field.


Use case scenario, let me know if you have a suggestion on a better one (perhaps fail2ban)…

I only allow access to MariaDB via “localhost” (… However to monitor the status of the service externally I need to allow third-party IPs (multiple) to talk to MariaDB in order to see if it’s alive.


On a new system recently, I set the regex in the field on the “Virtualmin Configuration” page, then proceeded to add a domain… By leaving the username to the “default” setting, it automatically created a random username in the form of “u[0-9]{4}” resulting in something like “u1234” which is exactly how I had intended the feature to work.

Essentially, there is no need to actually set a “Custom” value on form :slight_smile:

IPsets would be nice to support, but I haven’t done any work on it yet. One issue is that most Linux distros don’t have a permanent config file for ipsets.


As I understand it you issue the command:

firewall-cmd --permanent --new-ipset={ipset-name} --type={type}

This creates a “permanent” ipset…

Then you populate this ipset by issuing the command:

firewall-cmd --permanent --ipset={ipset-name} --add-entry={ip-address}

Then you assign this ipset to a zone by issuing the command:

firewall-cmd --permanent --zone={zone} --add-source=ipset:{ipset-name}

*** substitute values in { and } with actual values ***

This is obcourse a very basic example of such usage of an ipset

A more advanced and potentially useful usage is within a “rich rule”. As I’ve read so far, “rich rules” are a way of setting up advanced rules in an “iptables” type format offering the greatest flexibility.

Oh this is in firewalld - I was looking for similar functionality in plain IPtables.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.