diff --git a/config/action.d/firewall-cmd-direct-new.conf b/config/action.d/firewall-cmd-direct-new.conf index 8b323068..c151ba48 100644 --- a/config/action.d/firewall-cmd-direct-new.conf +++ b/config/action.d/firewall-cmd-direct-new.conf @@ -1,79 +1,30 @@ # Fail2Ban configuration file # -# Author: Edgar Hoch, Cyril Jaquier +# Author: Edgar Hoch # Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. # It uses "firewall-cmd" instead of "iptables". -# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19 . -# iptables-new.conf copied from iptables.conf and modified by Yaroslav Halchenko -# to fullfill the needs of bugreporter dbts#350746. -# -# $Revision$ -# +# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19. [Definition] -# Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD -# -## Old version of iptables-new.conf: -## actionstart = iptables -N fail2ban- -## iptables -A fail2ban- -j RETURN -## iptables -I -m state --state NEW -p --dport -j fail2ban- actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- -# Option: actionstop -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD -# -## Old version of iptables-new.conf: -## actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- -## iptables -F fail2ban- -## iptables -X fail2ban- - - # The following rule does not work, because firewalld keeps its own database of firewall rules. - # firewall-cmd --direct --passthrough ipv4 -F fail2ban- - # The better rule would be the following, - # but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 . - # firewall-cmd --direct --flush-chain ipv4 filter fail2ban- - # The following is a workaround using a loop to implement the --flush-chain command. +# The following rule does not work, because firewalld keeps its own database of firewall rules. +# firewall-cmd --direct --passthrough ipv4 -F fail2ban- +# The better rule would be the following, but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 . +# firewall-cmd --direct --flush-chain ipv4 filter fail2ban- +# The following is a workaround using a loop to implement the --flush-chain command. actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- - ( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban- | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban- $r ; done ) + ( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban- | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban- $r ; done ) firewall-cmd --direct --remove-chain ipv4 filter fail2ban- -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -## Old version of iptables-new.conf: -## actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -#