On 24.02.23 22:58, Phil Stracchino wrote:
Hey folks,
I'm looking once again at trying to make sense of fail2ban's
documentation, with the goal of configuring fail2ban to *remotely* tell
my separate firewall box (a Ubiquiti EdgeRouter running Shorewall) to
drop addresses that attempt to abuse or attack mail or ssh ports. The
fail2ban example shorewall.conf file RECOMMENDS changing BLACKLIST from
the default "NEW,INVALID,UNTRACKED" to "ALL" in order to let it close
existing connections from hostile hosts.
Are there any *non-obvious* side effects of this change that I should be
aware of?
From the docs:
https://shorewall.org/blacklisting_support.htm (scroll to the end of the
page)
"The documentation in /etc/fail2ban/action.d/shorewall.conf states that
you should set BLACKLIST=All. A better approach when using BLACKLIST as
the 'blocktype' is to specify the disconnect option in the setting of
DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
firewall from the net must be checked against the dynamic-blacklisting
ipset. That is not required when you specify disconnect."
Kind regards,
~H
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
