It seems at least once a year I look through my logs to find that fail2ban is no longer functioning ever since the switch from iptables to firewalld...
I've spent way too much time on this but I really do try to fix things myself and learn more about the innards of linux. Currently I'm getting: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): Set fail2ban-sshd doesn't exist. Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Well I had switched back to iptables from ipset due to this some time ago: https://bugzilla.redhat.com/show_bug.cgi?id=1533760 Which was "fixed' so I switched back to firewallcmd-ipset from iptables-multiport but the error persists. Here's where it gets weird. I finally figured out I'm assuming that ipset is what's calling iptables (which is not intuitive by the error) and I see two things: the "-n" option is supposed to have a number of seconds after it I'm not sure what effect just "-n" has. It's looking for fail2ban-sshd, however... Running "ipset list" I saw only one set, but it was called "f2b-sshd" instead... Ah HAH! Except when I ran it again it there was no output so the set is "gone"??? Ok, funny how working on writing all this down sometimes helps... Found what I think it part of the problem. Comparing firewallcmd-ipset.conf.old and firewallcmd-ipset.conf I see [Definition] [Definition] actionstart = ipset create fail2ban-<name> hash:ip timeout <b | actionstart = ipset create <ipmset> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <c | firewall-cmd --direct --add-rule <family> filte --- And then later in the new conf file: ipmset = f2b-<name> familyopt = --- So the ipset create call was changed... So how does firewalld know which set name to look for? Thanks, Richard
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
