Would that supersede fail2ban’s Bans? (I still like doing it at the fail2ban level better because its Ban/Unban logs would be confusing if they only worked for some IPs.)
Incidentally the Allow IP/CIDR button was broken last time I tried it. (Ignore the exchanges with ID10T there, I’d confused him by saying that it worked in public.xml when manually added… I am not convinced that when I did that I nested the IP in that “rule” block that seems to break it.)
At least I can say that if I pick a zone like “trusted” and click the Allow IP/CIDR and add an IP there, it does not work for the ports and services there (I think because the file it creates nests the IP in a rule, which is outside of the list of allowed ports). So the button will make this:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Internal</short>
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<rule family="ipv4" priority="-32767">
<source address="[SAID-IP-HERE]"/>
<accept/>
</rule>
</zone>
And presuming that ssh isn’t available in another group (like public), ssh will not work for SAID-IP… but that removing these two lines:
<rule family="ipv4" priority="-32767">
</rule>
Makes what the button creates work as one expects.