Re: [Fail2ban-users] Fedora 31 firewalld-ipset: f2b-sshd created but not used

Nick Howitt Sun, 05 Apr 2020 09:07:26 -0700

I don't use fedora and still have iptables, but afaik ipset is way more efficient at blocking big lists that individual per-IP firewall rules. The action I end up with is iptables-ipset-proto6-allports.conf. All ports is used as it covers you changing ports. Also I run port 22 internally but have a second daemon using keys only which I can expose to the internet. This action covers both cases.

Have a look at the f2b logging to try to determine what is going wrong. It is generally quite informative.

On 05/04/2020 16:35, Richard Shaw wrote:

So I figured out the cause of most of the errors, apparently protocol = all isn't compatible with firewalld-ipset, as it tries to pass "all" to iptables-restore which isn't valid...

But there's still no ipset f2b-sshd loaded in firewalld:

# firewall-cmd --get-ipsets
blacklist

I just checked the chains directly but I'm still seeing warnings of already banned IPs

# iptables -S | grep INPUT_direct
-N INPUT_direct
-A INPUT -j INPUT_direct
-A INPUT_direct -p tcp -m multiport --dports 22 -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable

---

Of course gathering all the information I need for the email post I've figured a bunch of stuff out. I'm going to try firewalld-allports instead. I don't know why -ipset is default on Fedora.

Thanks,

Richard
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fedora 31 firewalld-ipset: f2b-sshd created but not used

Reply via email to