fail2ban/config/action.d/firewallcmd-rich-rules.conf

# Fail2Ban configuration file
#
# Author: Donald Yandt 
# 
# Because of the rich rule commands requires firewalld-0.3.1+
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
# by chain. So for an example all deny rules will be listed under <zone>_deny. 
#
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
#
# Example commands to view rules:
# firewall-cmd [--zone=<zone>] --list-rich-rules
# firewall-cmd [--zone=<zone>] --list-all
# firewall-cmd [--zone=zone] --query-rich-rule='rule'

[Definition]

actionstart = 

actionstop = 

actioncheck = 

#you can also use zones and/or service names. 
#
# zone example: 
# 	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <blocktype>"
# service name example:
#	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <blocktype>"
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 

actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done
	   
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done

[Init]

name = default

zone = public

# use command firewall-cmd --get-services to see a list of services available
#
# Examples:
#
# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

service = ssh

# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 
# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'

blocktype = reject type='icmp-port-unreachable'
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367) closes #1367 2016-03-17 04:33:14 +00:00			`# Fail2Ban configuration file`
			`#`
			`# Author: Donald Yandt`
			`#`
			`# Because of the rich rule commands requires firewalld-0.3.1+`
			`# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not`
			`# by chain. So for an example all deny rules will be listed under <zone>_deny.`
			`#`
			`# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy`
			`#`
			`# Example commands to view rules:`
			`# firewall-cmd [--zone=<zone>] --list-rich-rules`
			`# firewall-cmd [--zone=<zone>] --list-all`
			`# firewall-cmd [--zone=zone] --query-rich-rule='rule'`

			`[Definition]`

			`actionstart =`

			`actionstop =`

			`actioncheck =`

			`#you can also use zones and/or service names.`
			`#`
			`# zone example:`
			`# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <blocktype>"`
			`# service name example:`
			`# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <blocktype>"`
minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 20:13:11 +00:00			`# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp`
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367) closes #1367 2016-03-17 04:33:14 +00:00
			`actionban = ports="<port>"; for p in $(echo $ports \| tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done`

			`actionunban = ports="<port>"; for p in $(echo $ports \| tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done`

			`[Init]`

			`name = default`

			`zone = public`

			`# use command firewall-cmd --get-services to see a list of services available`
			`#`
			`# Examples:`
			`#`
			`# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps`
			`# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos`
			`# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s`
			`# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy`
			`# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server`

			`service = ssh`

			`# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',`
			`# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'`

			`blocktype = reject type='icmp-port-unreachable'`