Re: [Shorewall-users] Testing if ipsets are working.

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/22/2017 04:42 PM, Nigel Aves wrote:
> Is there a way of "knowing" that ipsets are working correctly?
> 
> I've looked through the dump file and that does not seem to contain
> the information I need. The reason I ask, is that I have changed
> fail2ban to use ipsets to pass the information across to shorewall.
> The reason I have done this is because the old method stopped
> working after implementing "blacklist if connection attempt on
> unused port"
> 
> 2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO 
> [postfix-sasl] Found 94.102.60.172 2017-02-22 16:57:33,148
> fail2ban.filter [5721]: INFO [postfix-sasl] Found
> 89.248.171.234 2017-02-22 16:57:54,557 fail2ban.filter
> [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22
> 17:03:52,523 fail2ban.filter [5721]: INFO [postfix-sasl]
> Found 185.29.9.175 2017-02-22 17:04:46,613 fail2ban.filter
> [5721]: INFO [postfix-sasl] Found 91.200.12.121 2017-02-22
> 17:04:47,222 fail2ban.actions[5721]: NOTICE [postfix-sasl]
> 91.200.12.121 already banned 2017-02-22 17:11:38,149
> fail2ban.filter [5721]: INFO [postfix-sasl] Found
> 91.200.12.121 2017-02-22 17:18:33,651 fail2ban.filter
> [5721]: INFO [postfix-sasl] Found 91.200.12.121
> 
> I have tried two different methods in the rules file.
> 
> DROP:info net:+f2b $FW>> this was from a tutorial I discovered

That is the correct test, if fail2ban is inserting addresses into set f2b.

> 
> and
> 
> ADD(f2b:src):infonet$FW  >> this is a modified version of
> Tom's "blacklist if connection "

Incorrect.

> 
> 
> I have created the ipset all OK and get IPs
> 
> # ipset list f2b Name: f2b Type: hash:ip Revision: 1 Header: family
> inet hashsize 1024 maxelem 65536 timeout 300 Size in memory: 20048 
> References: 1 Members: 91.200.12.121 timeout 83162 95.211.209.158
> timeout 83163 87.241.171.225 timeout 290 124.228.112.30 timeout
> 227 181.120.35.243 timeout 78 146.0.235.55 timeout 237
> 
> If anyone could point me in the right direct, it would really help.
> I'm loosing too much hair scratching my head!
> 

The packet count on the new DROP rule will increment (and a log
message will be generated) when there is a match on the f2b ipset.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYrynnAAoJEJbms/JCOk0QnRcP/0AvzucG/0KdPDgKs3TFnR8k
GJzHR/POlHWipXZdKyiw7kfw8GGklQnc7E2VLZi0RuWaWnOE9fLGeYN7foHiwHq4
/dAy8CY5IfSyEkSx6q+4tBKv4P257zcVsGO91UOJ59FA+lw+HmMBOZakdjotsK2l
kOZ2hA6tdTnpKLKF0Nc62ksqyPnBvipQsQ3pVubZG6MLPWLqvgg0IepuhWhhP1FD
vWQ5SuYguqJBao70Hp6KOS61QCUjPttwJGyYf4S2QrX5Phh0NOTht3ERyccZUi/A
Jav2ddD1Jytokx7j1LK7+h+S8rzx8ndOSrkbvcaK6s9tS7nnjDPTy/wIM4ek29ZA
K4NdFbC0cUqlpFNH9/RKphmHYxdfqmURgqJqnrHdS5no9xit3p4di30WSnbzG8wh
heojwFcr5x2G679oHknxVjT0NzupVpLo1kpxmbpIAPVYM7lmNhrKtkm5A5ShD+ug
dc+vGUAp9umwxIVDri/syd3MQRMv2dazZi4F90Pg9kN1XH4Aep+5f0hSnFcSc5N4
Q1aXdBCxZX1BxG6WnAXiym9YCtNBGNIOM6No7q8p8NnIgK5nVwfLfsVb9dZ16kVR
MQ+vqyhN8cSfzq/by17iXTHCXHTbAY/+Ib2QZLtspES9rbMgB2pBCFuus7hTAo9r
Hc/tRC9pNmy5yLHKSthM
=jBYB
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Testing if ipsets are working.

[Nigel Aves]

Is there a way of "knowing" that ipsets are working correctly?

I've looked through the dump file and that does not seem to contain the 
information I need. The reason I ask, is that I have changed fail2ban to 
use ipsets to pass the information across to shorewall. The reason I 
have done this is because the old method stopped working after 
implementing "blacklist if connection attempt on unused port"


2017-02-22 16:57:20,757 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 94.102.60.172
2017-02-22 16:57:33,148 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 89.248.171.234
2017-02-22 16:57:54,557 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:03:52,523 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 185.29.9.175
2017-02-22 17:04:46,613 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:04:47,222 fail2ban.actions[5721]: NOTICE 
[postfix-sasl] 91.200.12.121 already banned
2017-02-22 17:11:38,149 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121
2017-02-22 17:18:33,651 fail2ban.filter [5721]: INFO 
[postfix-sasl] Found 91.200.12.121


I have tried two different methods in the rules file.

DROP:info net:+f2b $FW>> this was from a tutorial I discovered

and

ADD(f2b:src):infonet$FW  >> this is a modified version of Tom's 
"blacklist if connection "



I have created the ipset all OK and get IPs

# ipset list f2b
Name: f2b
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 300
Size in memory: 20048
References: 1
Members:
91.200.12.121 timeout 83162
95.211.209.158 timeout 83163
87.241.171.225 timeout 290
124.228.112.30 timeout 227
181.120.35.243 timeout 78
146.0.235.55 timeout 237

If anyone could point me in the right direct, it would really help. I'm 
loosing too much hair scratching my head!


Many Thanks,

Nigel.

--

from the desk of Nigel

http://soft-focus-imagining.com
http://twin-peaks-video.com

<>--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users