Skip to content

Installing update ipsets

Costa Tsaousis edited this page Nov 8, 2015 · 33 revisions

update-ipsets is part of FireHOL.

You can use update-ipsets without FireHOL. update-ipsets will does not depend on it. You have to install it to your computer though.

update-ipsets is a new member of the FireHOL suite. It has not been released yet. So, even if you already use FireHOL, you have to download the latest development version of it to have update-ipsets.

The following procedure installs FireHOL to your computer.


Install update-ipsets, to be run as root

The FireHOL repo includes update-ipsets.

This is a quick guide to install it:

# cd somewhere
cd /tmp

# download FireHOL source from github
git clone https://github.com/firehol/firehol.git firehol.git

# cd to it:
cd firehol.git

# configure it:
sudo ./autogen.sh

# make sure autogen.sh completes successfully

# then run:
sudo ./configure --prefix=/usr --disable-man --disable-doc

# make sure configure completes successfully
# (of course you can omit --disable-man and --disable-doc
# though, man and doc generation have a few more package dependencies)

# install it
sudo make CFLAGS="-O3" install

# make sure it completes successfully.

The above installs the development version of FireHOL on your computer, which includes the latest update-ipsets.

To run it, use something like this:

sudo update-ipsets enable dshield

Check Downloading IP Lists to learn how to use it.


Install update-ipsets, to be run as non-root

If you don't want to install the development version of FireHOL, you can follow this procedure:

# cd to your home
cd

# download firehol
git clone https://github.com/firehol/firehol.git firehol.git

# cd to it
cd firehol.git

# you cannot configure and build it - it will most probably fail

# use this:
cd sbin
make -o iprange -O3 -pthread iprange.c

# you will have to install iprange
sudo cp iprange /usr/bin/

# In the same directory there is a file called update-ipsets.in
# You need to change its configuration though:

mkdir "$HOME/ipsets"

cat >update-ipsets.conf <<EOF
BASE_DIR="$HOME/ipsets/"
RUN_PARENT_DIR="$HOME"
WEB_DIR=
LIB_DIR=
EOF

# Now you can run it like this:
./update-ipsets.in -f update-ipsets.conf enable dshield

# To download the enabled IP lists:
./update-ipsets.in -f update-ipsets.conf

Using the above procedure, the downloaded ipsets will be saved in $HOME/ipsets.

When update-ipsets is not run as root, it will not even attempt to change the ipsets in kernel.

Clone this wiki locally