On Tue, Oct 04, 2005 at 11:29:45AM -0700, Ross Boylan wrote: > concerns the program operation and endless loop. This one concerns > primarily user information (which may have been addressed) and the > problem that the firewall rules become ineffective if the main INPUT > chain is altered so at to deleted the references to the fail2ban > rules. yeap -- and that would lead to the absent chain, all failed login attempts will continue to flow, fail2ban will disregard them because it thinks that they are banned, unban will fail because there is no chain, and infinite loop situation can occur Is that right?
The both bugs are grown from the same fact that if a user ( or outside of fail2ban firewal etc) changes iptables INPUT chain, fail2ban cannot function properly. During startup fail2ban starts up after networking and all firewalls (which supposed to be started from /etc/rcS.d/ if I'm not wrong) so general user should be fine as far as he doesn't restart the firewall or wipes out INPUT manually. > In other words, 329163 is about infinite loops, while this concerns > failure to run at all. Otherwise, If something like that happens, fail2ban renders unusable and might loop endlessly. That is why I considered both bug reports to be the same because the source of the problem is the same. > Also, this bug/wish has some ideas about program functionality. You > may or may not wish to pursue those ideas. indeed. we had an idea to include a check for existing chain before every operation with iptables... for now we just limited the solution by the note in README.Debian. Hopefully soon (if there will be not that many bug reports) recent fail2ban will get into testing, thus the others will see that note :-) -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555]
pgphv2TYMRIIp.pgp
Description: PGP signature