I want to set up a dynamic ssh firewall blocking in order to stop ssh\nattacks and because openssh is abandoning tcpwrapper.\n\nI set up an ipset setname, sshdeny, in order to use it in shorewall. I\nalso want to save and restore the addresses to be blocked across a\nshutdown of shorewall. But I am having trouble reading the addresses\nback in to shorewall and ipset.\n\nI put an\nipset save sshdeny -file /etc/shorewall/sshdeny into the stop file\n\nand tried to put and ipset restore -file /etc/shorewall/sshdeny\ninto the start file. But shorewall does not restart-\- it says that set\ndoes not exist and shuts down. Nowhere I put the ipset restore seems not\nto work.\n\nHere is the situation I put in only the lines which I think have\nrelevance.\n\nzones\nsshd:net ipv4\n\n(net is the default external network)\n\ninterfaces\n- enp+ detect\n\n\nhosts\nnet enp+:0.0.0.0/0 -\nsshd enp+:+sshdeny\n\nrules\nDROP sshd fw tcp,udp -\n\n\nBut this does not work. When I do\nshorewall start\nI get errors and shorewall stops again.\n\n.....\nProcessing /etc/shorewall/init ...\nProcessing /etc/shorewall/tcclear ...\nSetting up Route Filtering...\nSetting up Martian Logging...\nSetting up Proxy ARP...\nPreparing iptables-restore input...\nRunning /sbin/iptables-restore...\niptables-restore v1.4.21: Set sshdeny doesn't exist.\n\nError occurred at line: 137\nTry `iptables-restore -h' or 'iptables-restore -\-help' for more\ninformation.\nERROR: iptables-restore Failed. Input is in\n/var/lib/shorewall/.iptables-restore-input\nProcessing /etc/shorewall/stop ...\n.........\n\n\n\nfiles in /etc/shorewall:\n\nstop\n-\-\-\-\-\-\-\-\-\nipset save sshdeny -file /etc/shorewall/sshdeny\n================\n\nstart\n-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\nipset restore -file /etc/shorewall/sshdeny\n================\n\nI get the same problem if I put that last line into the file init.\n\nHowever if I put\nipset create sshdeny hash:ip timeout 800000\ninto init, I do not get that error, but now I cannot restore the files,\nWhereever I put ipset restore.... I get that the set already exists, and\nI cannot recover the old addresses into sshdeny.\n\n\nSurely this is possible to do.