On Fri, May 1, 2020 at 9:39 AM Robert Kudyba <[email protected]> wrote:
> Maybe this has been discussed before but I haven't been on the list that >> long. I recently moved Fedora and EL from firewalld-ipset to >> firewalld-rich-rules and overall it works much better. >> >> ipset was causing firewalld to use legacy iptables and I frequently saw >> WARNING already banned messages. Switching to rich-rules solved this >> problem but created another one. >> >> The default range for allports is "0:65535" which is fine for iptables but >> firewalld chokes on this but will accept the form "0-65535". Not being >> familiar with the inner workings of fail2ban, the easy thing to do would >> be >> to make the change in jail.conf for Fedora packages since we default to >> firewalld, however, I don't want to cause the reverse problem for people >> that want to run iptables. >> > > Yes I reported this issue on a Bugzilla for Red Hat/Fedora at > https://bugzilla.redhat.com/show_bug.cgi?id=1823746 > I know, hence my post here to try and find a solution :) > Is there a way to cover this for both situations? >> > > Just to use jail.local to override it--and do not use "all" or "anyport" > for the "port" option. You might also have to manually or via rpmconf -a > change the /etc/fail2ban/jail.d/00-firewalld.conf file after updating > to fail2ban-0.11.1-6 > No need for rpmconf, if you modify the file it's marked %config(noreplace) in the spec file, the new file will be created as <original>.rpmnew I just changed the port entry from to use the hyphen instead and it seemed to work fine. > As described in the BZ entry, I'm struggling with getting the recidive > jail to work with firewalld-rich-rules. I had to go back to the iptables > option. > Part of the problem is I have no idea was recidive is, but it looks like in your configuration it may be trying to use iptables? I don't think mixed modes are going to work. I have no plans to change it back but I will work to find a solution. The firewalld-ipset config was completely broken and ssh is a very important jail to have working. Thanks, Richard
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
