> > Maybe this has been discussed before but I haven't been on the list that > long. I recently moved Fedora and EL from firewalld-ipset to > firewalld-rich-rules and overall it works much better. > > ipset was causing firewalld to use legacy iptables and I frequently saw > WARNING already banned messages. Switching to rich-rules solved this > problem but created another one. > > The default range for allports is "0:65535" which is fine for iptables but > firewalld chokes on this but will accept the form "0-65535". Not being > familiar with the inner workings of fail2ban, the easy thing to do would be > to make the change in jail.conf for Fedora packages since we default to > firewalld, however, I don't want to cause the reverse problem for people > that want to run iptables. >
Yes I reported this issue on a Bugzilla for Red Hat/Fedora at https://bugzilla.redhat.com/show_bug.cgi?id=1823746 > Is there a way to cover this for both situations? > Just to use jail.local to override it--and do not use "all" or "anyport" for the "port" option. You might also have to manually or via rpmconf -a change the /etc/fail2ban/jail.d/00-firewalld.conf file after updating to fail2ban-0.11.1-6 As described in the BZ entry, I'm struggling with getting the recidive jail to work with firewalld-rich-rules. I had to go back to the iptables option.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
