diff --git a/ChangeLog b/ChangeLog index 0e2210b78..688ed206a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests to Should- rc init fields - New Features: + Edgar Hoch + * action.d/firewall-cmd-direct-new.conf - action for Fedora firewalld + from https://bugzilla.redhat.com/show_bug.cgi?id=979622 Andy Fragen and Daniel Black * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule numbers. diff --git a/config/action.d/firewall-cmd-direct-new.conf b/config/action.d/firewall-cmd-direct-new.conf new file mode 100644 index 000000000..8b323068a --- /dev/null +++ b/config/action.d/firewall-cmd-direct-new.conf @@ -0,0 +1,101 @@ +# Fail2Ban configuration file +# +# Author: Edgar Hoch, Cyril Jaquier +# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. +# It uses "firewall-cmd" instead of "iptables". +# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19 . +# iptables-new.conf copied from iptables.conf and modified by Yaroslav Halchenko +# to fullfill the needs of bugreporter dbts#350746. +# +# $Revision$ +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +## Old version of iptables-new.conf: +## actionstart = iptables -N fail2ban- +## iptables -A fail2ban- -j RETURN +## iptables -I -m state --state NEW -p --dport -j fail2ban- +actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- + firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +## Old version of iptables-new.conf: +## actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- +## iptables -F fail2ban- +## iptables -X fail2ban- + + # The following rule does not work, because firewalld keeps its own database of firewall rules. + # firewall-cmd --direct --passthrough ipv4 -F fail2ban- + # The better rule would be the following, + # but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 . + # firewall-cmd --direct --flush-chain ipv4 filter fail2ban- + # The following is a workaround using a loop to implement the --flush-chain command. + +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- + ( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban- | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban- $r ; done ) + firewall-cmd --direct --remove-chain ipv4 filter fail2ban- + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +## Old version of iptables-new.conf: +## actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#