From 7e54cee8d61be84bfb8f3eeff70f9f86b90eef9e Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Fri, 13 May 2016 21:36:27 -0400 Subject: [PATCH 1/4] updated firewallcmd actions --- config/action.d/firewallcmd-allports.conf | 28 +++----- config/action.d/firewallcmd-common.conf | 66 +++++++++++++++++++ config/action.d/firewallcmd-ipset.conf | 6 +- config/action.d/firewallcmd-multiport.conf | 51 +++----------- config/action.d/firewallcmd-new.conf | 29 +++----- config/action.d/firewallcmd-rich-logging.conf | 34 +++------- config/action.d/firewallcmd-rich-rules.conf | 35 +++------- 7 files changed, 119 insertions(+), 130 deletions(-) create mode 100644 config/action.d/firewallcmd-common.conf diff --git a/config/action.d/firewallcmd-allports.conf b/config/action.d/firewallcmd-allports.conf index 571d5ba6..de0e7f91 100644 --- a/config/action.d/firewallcmd-allports.conf +++ b/config/action.d/firewallcmd-allports.conf @@ -6,34 +6,26 @@ [INCLUDES] -before = iptables-common.conf +before = firewallcmd-common.conf [Definition] -actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- - firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -j f2b- +actionstart = firewall-cmd --direct --add-chain filter f2b- + firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule filter 0 -j f2b- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -j f2b- - firewall-cmd --direct --remove-rules ipv4 filter f2b- - firewall-cmd --direct --remove-chain ipv4 filter f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -j f2b- + firewall-cmd --direct --remove-rules filter f2b- + firewall-cmd --direct --remove-chain filter f2b- # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$' -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' +actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' -actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j +actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j -actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j - -[Init] - -# Default name of the chain -# -name = default - -chain = INPUT_direct +actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j # DEV NOTES: # diff --git a/config/action.d/firewallcmd-common.conf b/config/action.d/firewallcmd-common.conf new file mode 100644 index 00000000..106ef216 --- /dev/null +++ b/config/action.d/firewallcmd-common.conf @@ -0,0 +1,66 @@ +# Fail2Ban configuration file +# +# Author: Donald Yandt +# + +[Init] + +# Option: name +# Notes Default name of the chain +# Values: STRING +name = default + +# Option: family(ipv4) +# Notes specifies the socket address family type +# Values: STRING +family = ipv4 + +# Option: chain +# Notes specifies the firewalld chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT_direct +chain = INPUT_direct + +# Option: zone +# Notes use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones +# Values: STRING Default: public +zone = public + +# Option: service +# Notes use command firewall-cmd --get-services to see a list of services available +# Examples zones: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps +# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos +# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s +# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy +# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server +# Values: STRING Default: ssh +service = ssh + +# Option: rejecttype (ipv4) +# Note: See iptables/firewalld man pages for ipv4 reject types. +# Values: STRING +rejecttype = icmp-port-unreachable + +# Option: blocktype (ipv4/ipv6) +# Note: See iptables/firewalld man pages for jump targets. Common values are REJECT, +# REJECT --reject-with icmp-port-unreachable, DROP +# Values: STRING +blocktype = REJECT --reject-with + +# Option: rich-blocktype (ipv4/ipv6) +# Note: See firewalld man pages for jump targets. Common values are reject, +# reject type="icmp-port-unreachable", drop +# Values: STRING +rich-blocktype = reject type='' + +[Init?family=inet6] + +# Option: family(ipv6) +# Notes specifies the socket address family type +# Values: STRING +family = ipv6 + +# Option: rejecttype (ipv6) +# Note: See iptables/firewalld man pages for ipv6 reject types. +# Values: STRING +rejecttype = icmp6-port-unreachable diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index 38b0f3d3..b05f4f53 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -14,14 +14,14 @@ [INCLUDES] -before = iptables-common.conf +before = firewallcmd-common.conf [Definition] actionstart = ipset create fail2ban- hash:ip timeout - firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j + firewall-cmd --direct --add-rule filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j +actionstop = firewall-cmd --direct --remove-rule filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j ipset flush fail2ban- ipset destroy fail2ban- diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf index 438d4cf7..cc40d668 100644 --- a/config/action.d/firewallcmd-multiport.conf +++ b/config/action.d/firewallcmd-multiport.conf @@ -5,59 +5,28 @@ [INCLUDES] -before = iptables-common.conf +before = firewallcmd-common.conf [Definition] -actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- - firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- +actionstart = firewall-cmd --direct --add-chain filter f2b- + firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- - firewall-cmd --direct --remove-rules ipv4 filter f2b- - firewall-cmd --direct --remove-chain ipv4 filter f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --remove-rules filter f2b- + firewall-cmd --direct --remove-chain filter f2b- # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$' -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' +actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' -actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j +actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j -actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j +actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j [Init] -# Default name of the chain -name = default - -chain = INPUT_direct - # Could also use port numbers separated by a comma. port = 1:65535 - -# Option: protocol -# Values: [ tcp | udp | icmp | all ] - -protocol = tcp - - - -# DEV NOTES: -# -# Author: Donald Yandt -# Uses "FirewallD" instead of the "iptables daemon". -# -# -# Output: -# actionstart: -# $ firewall-cmd --direct --add-chain ipv4 filter f2b-apache-modsecurity -# success -# $ firewall-cmd --direct --add-rule ipv4 filter f2b-apache-modsecurity 1000 -j RETURN -# success -# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 80,443 -j f2b-apache-modsecurity -# success -# actioncheck: -# $ firewall-cmd --direct --get-chains ipv4 filter f2b-apache-modsecurity | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$' -# f2b-apache-modsecurity - diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf index ac72a68a..e64601e1 100644 --- a/config/action.d/firewallcmd-new.conf +++ b/config/action.d/firewallcmd-new.conf @@ -4,32 +4,23 @@ [INCLUDES] -before = iptables-common.conf +before = firewallcmd-common.conf [Definition] -actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- - firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- +actionstart = firewall-cmd --direct --add-chain filter f2b- + firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- - firewall-cmd --direct --remove-rules ipv4 filter f2b- - firewall-cmd --direct --remove-chain ipv4 filter f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --remove-rules filter f2b- + firewall-cmd --direct --remove-chain filter f2b- -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-$' +actioncheck = firewall-cmd --direct --get-chains filter | grep -q 'f2b-$' -actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j +actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j -actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j - -[Init] - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: [ STRING ] -# -chain = INPUT_direct +actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j # DEV NOTES: # diff --git a/config/action.d/firewallcmd-rich-logging.conf b/config/action.d/firewallcmd-rich-logging.conf index 1b88c2d9..34cb2413 100644 --- a/config/action.d/firewallcmd-rich-logging.conf +++ b/config/action.d/firewallcmd-rich-logging.conf @@ -15,6 +15,10 @@ # firewall-cmd [--zone=] --list-all # firewall-cmd [--zone=zone] --query-rich-rule='rule' +[INCLUDES] + +before = firewallcmd-common.conf + [Definition] actionstart = @@ -26,40 +30,22 @@ actioncheck = # you can also use zones and/or service names. # # zone example: -# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " +# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " +# # service name example: -# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " +# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " +# # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done +actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done +actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done [Init] -name = default - # log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug" level = info # log rate per minute rate = 1 -zone = public - -# use command firewall-cmd --get-services to see a list of services available -# -# Examples: -# -# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps -# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos -# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s -# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy -# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server - -service = ssh - -# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', -# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset' - -blocktype = reject type='icmp-port-unreachable' diff --git a/config/action.d/firewallcmd-rich-rules.conf b/config/action.d/firewallcmd-rich-rules.conf index 4e39df54..e64c3823 100644 --- a/config/action.d/firewallcmd-rich-rules.conf +++ b/config/action.d/firewallcmd-rich-rules.conf @@ -13,6 +13,10 @@ # firewall-cmd [--zone=] --list-all # firewall-cmd [--zone=zone] --query-rich-rule='rule' +[INCLUDES] + +before = firewallcmd-common.conf + [Definition] actionstart = @@ -24,34 +28,15 @@ actioncheck = #you can also use zones and/or service names. # # zone example: -# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' port port='' protocol='' " +# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' port port='' protocol='' " +# # service name example: -# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' service name='' " +# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' service name='' " +# # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='' port port='$p' protocol='' "; done +actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='' port port='$p' protocol='' "; done +actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done -[Init] -name = default - -zone = public - -# use command firewall-cmd --get-services to see a list of services available -# -# Examples: -# -# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps -# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos -# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s -# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy -# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server - -service = ssh - -# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', -# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset' - -blocktype = reject type='icmp-port-unreachable' From 810d5996b5b96ed637041492a7f80584973fa47b Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Fri, 13 May 2016 22:10:25 -0400 Subject: [PATCH 2/4] Update firewallcmd-rich-logging.conf --- config/action.d/firewallcmd-rich-logging.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/firewallcmd-rich-logging.conf b/config/action.d/firewallcmd-rich-logging.conf index 34cb2413..d2c8fc2f 100644 --- a/config/action.d/firewallcmd-rich-logging.conf +++ b/config/action.d/firewallcmd-rich-logging.conf @@ -30,10 +30,10 @@ actioncheck = # you can also use zones and/or service names. # # zone example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " +# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " # # service name example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " +# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " # # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp From 07de83e04a453ec5bb172f48db0ba863cf8d42a7 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Fri, 13 May 2016 22:38:10 -0400 Subject: [PATCH 3/4] Update firewallcmd-common.conf --- config/action.d/firewallcmd-common.conf | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/config/action.d/firewallcmd-common.conf b/config/action.d/firewallcmd-common.conf index 106ef216..4abe5318 100644 --- a/config/action.d/firewallcmd-common.conf +++ b/config/action.d/firewallcmd-common.conf @@ -10,6 +10,16 @@ # Values: STRING name = default +# Option port +# Notes Can also use port numbers separated by a comma and in rich-rules comma and/or space. +# Value STRING Default: 1:65535 +port = 1:65535 + +# Option: protocol +# Notes [ tcp | udp | icmp | all ] +# Values: STRING Default: tcp +protocol = tcp + # Option: family(ipv4) # Notes specifies the socket address family type # Values: STRING @@ -28,7 +38,7 @@ zone = public # Option: service # Notes use command firewall-cmd --get-services to see a list of services available -# Examples zones: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps +# Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps # freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos # kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s # postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy @@ -37,18 +47,18 @@ zone = public service = ssh # Option: rejecttype (ipv4) -# Note: See iptables/firewalld man pages for ipv4 reject types. +# Notes See iptables/firewalld man pages for ipv4 reject types. # Values: STRING rejecttype = icmp-port-unreachable # Option: blocktype (ipv4/ipv6) -# Note: See iptables/firewalld man pages for jump targets. Common values are REJECT, +# Notes See iptables/firewalld man pages for jump targets. Common values are REJECT, # REJECT --reject-with icmp-port-unreachable, DROP # Values: STRING blocktype = REJECT --reject-with # Option: rich-blocktype (ipv4/ipv6) -# Note: See firewalld man pages for jump targets. Common values are reject, +# Notes See firewalld man pages for jump targets. Common values are reject, # reject type="icmp-port-unreachable", drop # Values: STRING rich-blocktype = reject type='' From ffebde68e0fae17b07e620b8d9bc62aa4c967426 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Fri, 13 May 2016 22:38:36 -0400 Subject: [PATCH 4/4] Update firewallcmd-multiport.conf --- config/action.d/firewallcmd-multiport.conf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf index cc40d668..81540e5b 100644 --- a/config/action.d/firewallcmd-multiport.conf +++ b/config/action.d/firewallcmd-multiport.conf @@ -24,9 +24,3 @@ actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\ actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j - -[Init] - -# Could also use port numbers separated by a comma. -port = 1:65535 -