Menu
▾
▴
Re: [SSHGuard-users] Are the FirewallD IPSet commands actually doing the right/any/thing?
|
From: Christopher E. <ce...@lc...> - 2022-01-19 11:39:47
|
On 13.01.22 06:44, Kevin Buckley wrote:
> I tried running the same commands, and saw the same thing, however,
> it's possible I have worked out what is going on
>
>
> # firewall-cmd --info-ipset=sshguard4
> Error: INVALID_IPSET: sshguard4
>
> # firewall-cmd --ipset=sshguard4 --add-entry=192.102.251.102
> Error: INVALID_IPSET: sshguard4
>
> BUT
>
> if those commands have the "--permanent" flag added to them, so:
>
>
> # firewall-cmd --permanent --ipset=sshguard4 --add-entry=192.102.251.102
> success
> # firewall-cmd --permanent --info-ipset=sshguard4
> sshguard4
> type: hash:net
> options:
> entries: 192.102.251.102
> #
>
> so are the Error-s that are being seen the result of SSHGuard's commands
> lacking the "--permanent" flag when targetting IPSets, for example:
>
>
> fw_block() {
> ${FIREW_CMD} --ipset="sshguard$2" --add-entry="$1/$3"
> }
That's interesting. I wonder if this is something that changed in
firewalld. I'm using firewalld myself so I'll take a look if I see the
same behaviour.
IMO there is no reason not to use the --permanent flag when setting the
entries, but that should be checked to be sure. Main difference is that
the banned IPs will survive a restart, while sshguards banlist doesn't?,
which might lead to IPs not being unbanned. But that is easily remedied
by letting SSHGuard wipe the sets on startup. It might already, I can check.
Christopher
|
