On 24/03/2020 18:26, Jerry Geis wrote: > it looks like it does work - it just takes a REAL long time to load with > "many" entries in the file. > iptables was never slow. firewalld seems inefficient. > > I was able to add the line - restart the firewall, (wait) - see my packets > dropped - remove the line - > restart the firewall (wait) and able to ping again. > > I thought this "Direct.xml" file would be the fastest way for firewalld - > but there is multi-minute wait to restart. I have about 14000 entries. > I would think ipset would be a more suitable tool for the task in hand which can do the task instantly if you create and update a copy of your set and then swap the sets.