[Bug] IP rules not applied after switching firewall service in aaPanel 7.0.21

tungdev

In aaPanel version 7.0.21, I’m using an AlmaLinux 8 server with firewalld to manage IP rules. I was prompted to switch to the new firewall service, and after making the switch, all my existing IP rules were migrated but not actually applied in the new service. I had to manually add them back to the "trusted" zone of firewalld via the terminal.

aaPanel_Kern

The new one is managed using ipset

tungdev

Thank you for the clarification about ipset. However, the issue I’m facing is that adding an IP to the in_bt_user_accept_ipset does not grant it unrestricted access to the server like the trusted zone in firewalld does.

In firewalld, when I assign an IP to the trusted zone, that IP is allowed to access all open ports on the server without needing to explicitly open those ports in the public zone or elsewhere.

But in the current ipset-based firewall setup, even though the IP is added to in_bt_user_accept_ipset, it cannot access any ports unless those ports are manually opened elsewhere. So the behavior is not equivalent to the trusted zone in firewalld.

My use case is: I want to whitelist certain IPs to have full access to all services (ports) on the server, without needing to manage individual port permissions.

Is there a way to replicate the behavior of the firewalld trusted zone using ipset, or should I disable the new firewall system and go back to using firewalld directly?

aaPanel_Kern

ipset is used directly iptables. This rule can access all ports by default.
tungdev

tungdev

Thank you for the explanation. However, from my testing, this ipset-based rule doesn't behave the same way on AlmaLinux 8 as it does on Ubuntu. On Ubuntu 22.04, adding an IP to in_bt_user_accept_ipset works as expected — the whitelisted IP can access all open ports without additional configuration.

But on AlmaLinux 8, even after adding an IP to the ipset, it cannot access any ports unless the specific ports are also explicitly opened elsewhere (e.g. via firewalld or iptables rules). So it seems that on AlmaLinux, there is no default iptables rule linking the ipset to allow access, unlike Ubuntu where it just works out of the box.

I also noticed that the aaPanel documentation recommends using Ubuntu, which makes sense now — but many of my older servers are still running AlmaLinux 8, and I don't plan to upgrade them yet.

Would it be possible for aaPanel to add compatibility or a fallback rule for RHEL-based systems like AlmaLinux to ensure ipset behaves consistently across distributions?

aaPanel_Kern

Hello,
Also used to process using iptables rules using ipset