Hello!
I want to use firewalld-ipset and log it to dmesg.
Only firewallcmd-ipset works fine, but if I add the logging, the
commands will fail.
banaction = firewallcmd-ipset
firewallcmd-rich-logging
2024-07-05 17:52:23,585 fail2ban.utils [268930]: ERROR ffff84c29930
-- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do
firewall-cmd --add-rich-rule="rule family='ipv4' source address='92.249.48.197'
port port='$p' protocol='tcp' log prefix='f2b-rslight' level='info' limit
value='1/m' reject type='icmp-admin-prohibited'"; done
$p isn't resolved to the port definition.
Is that a fault of my configuration or anything else?
root@pi-dach:~# grep -v '^#\|^$'
/etc/fail2ban/action.d/firewallcmd-rich-logging.conf
[INCLUDES]
before = firewallcmd-rich-rules.conf
[Definition]
rich-suffix = log prefix='f2b-<name>' level='<level>' limit value='<rate>/m'
<rich-blocktype>
[Init]
level = info
rate = 1
root@pi-dach:~#
root@pi-dach:~# grep -v '^#\|^$' /etc/fail2ban/action.d/firewallcmd-ipset.conf
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart = <ipstype_<ipsettype>/actionstart>
firewall-cmd --direct --add-rule <family> filter <chain> 0
<actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionflush = <ipstype_<ipsettype>/actionflush>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0
<actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
<ipstype_<ipsettype>/actionstop>
actionban = <ipstype_<ipsettype>/actionban>
actionunban = <ipstype_<ipsettype>/actionunban>
[ipstype_ipset]
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime>
<familyopt>
actionflush = ipset flush <ipmset>
actionstop = ipset destroy <ipmset>
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
actionunban = ipset -exist del <ipmset> <ip>
[ipstype_firewalld]
actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip
--option=timeout=<default-ipsettime> <firewalld_familyopt>
actionflush =
actionstop = firewall-cmd --direct --delete-ipset=<ipmset>
actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>
actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
[Init]
chain = INPUT_direct
default-ipsettime = 0
ipsettime = 0
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
ipsettype = ipset
actiontype = <multiport>
allports = -p <protocol>
multiport = -p <protocol> -m multiport --dports <port>
ipmset = f2b-<name>
familyopt =
firewalld_familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = family inet6
firewalld_familyopt = --option=family=inet6
root@pi-dach:~#
--
kind regards
Marco
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
