On 10/31/19 6:42 PM, Nigel Aves wrote: > Well, I thought I had this working, but no. So confused ( :) ) .. > > Start Fail2Ban and do a list of ipsets > > [root@apache-web-server ~]# ipset list > Name: SW_DBL4 > Type: hash:net > Revision: 6 > Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters > Size in memory: 384 > References: 0 > Members: > > Name: BlackList > Type: hash:ip,port > Revision: 5 > Header: family inet hashsize 1024 maxelem 65536 timeout 3600 > Size in memory: 128 > References: 0 > Members: > > [root@apache-web-server ~]# > > Run a check of Shorewall setup > > Checking configuration .. > > Checking using Shorewall 5.1.10.2... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Checking /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall/masq... > Checking MAC Filtration -- Phase 1... > Checking /etc/shorewall/rules... > Checking /usr/share/shorewall/deprecated/action.Drop for chain Drop... > WARNING: "You are using the deprecated Drop default action. Please > see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117) > Checking /etc/shorewall/conntrack... > Checking MAC Filtration -- Phase 2... > Applying Policies... > Shorewall configuration verified > > .. your firewall configuration looks OK. > > Apart from not being able to figure out what's wrong with (a rule I was > advised me to add! :) ) > > # Filter out noise > # > Drop net $FW all >
Bad advice. Whoever gave you that advice is living in the past. Note the warning your are getting during compilation above. > Check the ipsets and both are still there. > > Now try to start Shorewall > > Failed to start firewall : > > Compiling using Shorewall 5.1.10.2... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Adding rules for DHCP > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling /etc/shorewall/masq... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/rules... > Compiling /usr/share/shorewall/deprecated/action.Drop for chain Drop... > WARNING: "You are using the deprecated Drop default action. Please > see http://www.shorewall.net/Actions.html /etc/shorewall/rules (line 117) > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Generating Rule Matrix... > Optimizing Ruleset... > Creating iptables-restore input... > Shorewall configuration compiled to /var/lib/shorewall/.start > Starting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Processing /etc/shorewall/tcclear ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Proxy ARP... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > iptables-restore v1.4.21: Set BlackList doesn't exist. > > Error occurred at line: 141 > Try `iptables-restore -h' or 'iptables-restore --help' for more > information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > Processing /etc/shorewall/stop ... > Processing /etc/shorewall/tcclear ... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > Processing /etc/shorewall/stopped ... > /usr/share/shorewall/lib.common: line 93: 15184 Terminated > $SHOREWALL_SHELL $script $options $@ > > > Now I list ipsets .... > > > [root@apache-web-server ~]# ipset list > Name: SW_DBL4 > Type: hash:net > Revision: 6 > Header: family inet hashsize 1024 maxelem 65536 timeout 3600 counters > Size in memory: 384 > References: 0 > Members: > > [root@apache-web-server ~]# > > and "BlackList" has vanished. > > > shorewall/init > > # > # Shorewall -- /etc/shorewall/init > # > # Add commands below that you want to be executed at the beginning of > # a "shorewall start", "shorewall-reload" or "shorewall restart" command. > # > # For additional information, see > # http://shorewall.net/shorewall_extension_scripts.htm > # > ############################################################################### > > ipset create BlackList hash:ip,port timeout 3600 -exist > > shorewall/rules > > # > # Shorewall -- /etc/shorewall/rules > # > > ?SECTION ALL > DROP:info net:+BlackList $FW > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > --- cut rules none of them related to ipsets. > > # turn on ipset from fail2ban > # > DROP:info net:+BlackList $FW > # old >>DROP:info net:+f2b all > # > # Filter out noise > # > Drop net $FW all Again, get ride of that and simply use the recommended DROP policy actions (again, follow the advice in the Warning). > > # > # turn on ipset to stop testing ports from outside > # > ADD(SW_DBL4:src):info net $FW > # > > Simply setting the net->all policy to BLACKLIST will do that for you! I don't understand why you have two blacklist ipsets, but the Blacklist ipset is li9kely vanishing because you are setting SAVE_IPSETS in shorewall.conf. If you are using shorewall-init to save/restore your ipsets, then SAVE_IPSETS should be left empty in shorewall.conf. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users