Well, I thought I had this working, but no. So confused ( :) ) ..
Start Fail2Ban and do a list of ipsets
[root@apache-web-server ~]# ipset list
Name: SW_DBL4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters
Size in memory: 384
References: 0
Members:
Name: BlackList
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 128
References: 0
Members:
[root@apache-web-server ~]#
Run a check of Shorewall setup
Checking configuration ..
Checking using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /usr/share/shorewall/deprecated/action.Drop for chain Drop...
WARNING: "You are using the deprecated Drop default action. Please
see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117)
Checking /etc/shorewall/conntrack...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified
.. your firewall configuration looks OK.
Apart from not being able to figure out what's wrong with (a rule I was
advised me to add! :) )
# Filter out noise
#
Drop net $FW all
Check the ipsets and both are still there.
Now try to start Shorewall
Failed to start firewall :
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /usr/share/shorewall/deprecated/action.Drop for chain Drop...
WARNING: "You are using the deprecated Drop default action. Please
see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117)
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
iptables-restore v1.4.21: Set BlackList doesn't exist.
Error occurred at line: 141
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
Processing /etc/shorewall/stopped ...
/usr/share/shorewall/lib.common: line 93: 15184 Terminated
$SHOREWALL_SHELL $script $options $@
Now I list ipsets ....
[root@apache-web-server ~]# ipset list
Name: SW_DBL4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters
Size in memory: 384
References: 0
Members:
[root@apache-web-server ~]#
and "BlackList" has vanished.
shorewall/init
#
# Shorewall -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
ipset create BlackList hash:ip,port timeout 3600 -exist
shorewall/rules
#
# Shorewall -- /etc/shorewall/rules
#
?SECTION ALL
DROP:info net:+BlackList $FW
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
--- cut rules none of them related to ipsets.
# turn on ipset from fail2ban
#
DROP:info net:+BlackList $FW
# old >>DROP:info net:+f2b all
#
# Filter out noise
#
Drop net $FW all
#
# turn on ipset to stop testing ports from outside
#
ADD(SW_DBL4:src):info net $FW
#
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
