diff --git a/ChangeLog b/ChangeLog index 1917f079..1cdb28b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,7 @@ releases. * filter.d/kerio.conf - filter extended with new rules (see gh-1455) * filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging * filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376) +* action.d/firewallcmd-ipset-allports.conf - new firewallcmd-ipset-allports action (gh-1167) ver. 0.9.7 (2017/05/11) - awaiting-victory diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index 38b0f3d3..62b6e7c2 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -19,9 +19,9 @@ before = iptables-common.conf [Definition] actionstart = ipset create fail2ban- hash:ip timeout - firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j + firewall-cmd --direct --add-rule ipv4 filter 0 -m set --match-set fail2ban- src -j -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m set --match-set fail2ban- src -j ipset flush fail2ban- ipset destroy fail2ban- @@ -44,6 +44,23 @@ chain = INPUT_direct bantime = 600 +# Option: actiontype +# Notes.: defines additions to the blocking rule +# Values: leave empty to block all attempts from the host +# Default: Value of the multiport +actiontype = + +# Option: allports +# Notes.: default addition to block all ports +# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] +# for all protocols: banaction = firewallcmd-ipset[actiontype=""] +allports = -p + +# Option: multiport +# Notes.: addition to block access only to specific ports +# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] +multiport = -p -m multiport --dports + # DEV NOTES: #