Re: [Fail2ban-users] Fedora 31 firewalld-ipset: f2b-sshd created but not used

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    I don't use fedora and still have iptables, but afaik ipset is way
    more efficient at blocking big lists that individual per-IP firewall
    rules. The action I end up with is
    iptables-ipset-proto6-allports.conf. All ports is used as it covers
    you changing ports. Also I run port 22 internally but have a second
    daemon using keys only which I can expose to the internet. This
    action covers both cases.<br>
    <br>
    Have a look at the f2b logging to try to determine what is going
    wrong. It is generally quite informative.<br>
    <br>
    <div class="moz-cite-prefix">On 05/04/2020 16:35, Richard Shaw
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAN...@ma...">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div>So I figured out the cause of most of the errors,
          apparently protocol = all isn't compatible with
          firewalld-ipset, as it tries to pass "all" to iptables-restore
          which isn't valid...</div>
        <div><br>
        </div>
        <div>But there's still no ipset f2b-sshd loaded in firewalld:</div>
        <div><br>
        </div>
        <div># firewall-cmd --get-ipsets<br>
          blacklist<br>
        </div>
        <div><br>
        </div>
        <div>I just checked the chains directly but I'm still seeing
          warnings of already banned IPs</div>
        <div><br>
        </div>
        <div># iptables -S | grep INPUT_direct<br>
          -N INPUT_direct<br>
          -A INPUT -j INPUT_direct<br>
          -A INPUT_direct -p tcp -m multiport --dports 22 -m set
          --match-set f2b-sshd src -j REJECT --reject-with
          icmp-port-unreachable<br>
        </div>
        <div><br>
        </div>
        <div>---</div>
        <div><br>
        </div>
        <div>Of course gathering all the information I need for the
          email post I've figured a bunch of stuff out. I'm going to try
          firewalld-allports instead. I don't know why -ipset is default
          on Fedora.</div>
        <div><br>
        </div>
        <div>Thanks,</div>
        <div>Richard</div>
        <div class="gmail_quote">
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div dir="ltr">
              <div class="gmail_quote">
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                </blockquote>
              </div>
            </div>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Fail2ban-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fai...@li...">Fai...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/fail2ban-users">https://lists.sourceforge.net/lists/listinfo/fail2ban-users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>