Hello!
1. Suggestion:
I've been (mostly) successfully using fail2ban on a FreeBSD box for some
time, employing bsd-ipfw action to block the IPs.
When it does that, fail2ban adds the table as the first rule (unless there
are other tables):
actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk
'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if
(e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype>
<block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>"
)
The problem with that behavior is that it adds the table rule with the
number that correspond to the table number ($num), which in case of just
one table is "1".
In some cases the firewall configuration may have rules that must be first
to prevent accidental lockdown of the server (especially if the server is
remote). Typical rule numbering (by default) in ipfw goes with a step of
100. So, what would be very convenient is to add a configurable option for
bsd-ipfw that would be the lowest number for the table rule.
Something like
ipfw_after_rule_number = 0
in jail.conf ,
with a possibility to specify
ipfw_after_rule_number = 1000
in jail.local
and then in bsd-ipfw:
rule_num = $num + $ipfw_after_rule_number
2. Existing problem:
Also, what would make sense is to add a check if the specific rule already
exists in the active ipfw, to avoid accidental duplication of rule
numbers, as that would be
a problem when the rule is being deleted by fail2ban when it stops
(in actionstop). If more than one rule has the same number, fail2ban's
actionstop will delete all rules with that number.
As far as I can tell, this check is currently missing: fail2ban only
checks if there is a table with the same number. The only
reason there is no collision is that no other script is using rule #1, but
can you rely on that?
Thank you,
Igor
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
