github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: new action.d/firewall-cmd-direct-new.conf from Redhat Bugzilla #979622

Browse Source
pull/396/head
Daniel Black 11 years ago
parent 123ad1cc9c
commit 0d8d1ae26c
2 changed files with 104 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
ChangeLog
Unescape View File

@ -49,6 +49,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
to Should- rc init fields to Should- rc init fields
- New Features: - New Features:
Edgar Hoch
* action.d/firewall-cmd-direct-new.conf - action for Fedora firewalld
from https://bugzilla.redhat.com/show_bug.cgi?id=979622
Andy Fragen and Daniel Black Andy Fragen and Daniel Black
* filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
numbers. numbers.

101
config/action.d/firewall-cmd-direct-new.conf
Unescape View File

@ -0,0 +1,101 @@
# Fail2Ban configuration file
#
# Author: Edgar Hoch, Cyril Jaquier
# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
# It uses "firewall-cmd" instead of "iptables".
# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19 .
# iptables-new.conf copied from iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
#
# $Revision$
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
## Old version of iptables-new.conf:
## actionstart = iptables -N fail2ban-<name>
## iptables -A fail2ban-<name> -j RETURN
## iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban-<name>
firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
## Old version of iptables-new.conf:
## actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
## iptables -F fail2ban-<name>
## iptables -X fail2ban-<name>
# The following rule does not work, because firewalld keeps its own database of firewall rules.
# firewall-cmd --direct --passthrough ipv4 -F fail2ban-<name>
# The better rule would be the following,
# but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 .
# firewall-cmd --direct --flush-chain ipv4 filter fail2ban-<name>
# The following is a workaround using a loop to implement the --flush-chain command.
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban-<name> | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> $r ; done )
firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
## Old version of iptables-new.conf:
## actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
## Old version of iptables-new.conf:
## actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
## Old version of iptables-new.conf:
## actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT_direct
Write Preview
Loading…
Cancel
Save