On 27.03.2013 08:16, Zurd wrote:
> How come I have this in "ipfw -t list" but I can still log in :
> 00300 Wed Mar 27 03:08:59 2013 allow ip from any to any
> 00400 deny tcp from xxx.xxx.xxx.xxx to 127.0.0.1
> dst-port 22
> 65535 Mon Mar 25 16:55:46 2013 deny ip from any to any
> Where xxx.xxx.xxx.xxx is my own local IP. From what I understand from ipfw
> rules priority, this should work.
First, the 00300 rule does allow from any to any, so it will not
continue to parse the next rule. But then your rule 00400 does
only match packets which go from xxx.xxx.xxx.xxx to 127.0.0.1.
But you will probably never ever have any such packets. You need
to replace 127.0.0.1 with 'me' or the the IP address of the
interface the inbound traffic comes in.
> Here's my jail :
> enabled = true
> filter = sshd
> action = ipfw[localhost=127.0.0.1]
> sendmail-whois[name="SSH,IPFW", dest=myemail@...]
> logpath = /var/log/auth.log
I am not sure what the 'localhost' stuff in the action does, as I
am using the 'bsd-ipfw' action in my installation.
> And in /var/log/fail2ban.log, I have plenty of those lines :
> 2013-03-27 03:10:40,393 fail2ban.actions: INFO [ssh-ipfw] xxx.xxx.xxx.xxx
> already banned
In your case this is when fail2ban does submit the IP address to
the action, but there it is not set up probably and the IP
address is not really blocked.
Sometimes this messages can happen once when there is a fast
flood of new connections from the same IP address. But then it is
related the caching delay of syslog writing to the file and until
fail2ban is able to read it.