Merge pull request #3018 from usernamepi/master

Update ufw.conf: several fixes and enhancements
2021-05-06 22:20:39 +02:00 · 2021-05-06 22:20:39 +02:00 · 5a8f1bceb8
parent 71ce548117 2958ad8636
commit 5a8f1bceb8
2 changed files with 41 additions and 7 deletions
--- a/6
+++ b/6
@ -20,6 +20,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
 ### Fixes
 * readline fixed to consider interim new-line character as part of code point in multi-byte logs
  (e. g. unicode encoding like utf-16be, utf-16le);
 * `action.d/ufw.conf`:
  - fixed handling on IPv6 (using prepend, gh-2331, gh-3018)
  - application names containing spaces can be used now (gh-656, gh-1532, gh-3018)
 * `filter.d/drupal-auth.conf` more strict regex, extended to match "Login attempt failed from" (gh-2742)
 ### New Features and Enhancements
@ -29,6 +32,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
 * better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file
  (and hash calculation)
 * file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion)
 * `action.d/ufw.conf` (gh-3018):
  - new option `add` (default `prepend`), can be supplied as `insert 1` for ufw versions before v.0.36 (gh-2331, gh-3018)
  - new options `kill-mode` and `kill` to drop established connections of intruder (see action for details, gh-3018)
 * `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`) 
   mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@ -13,16 +13,44 @@ actionstop =
 actioncheck = 
-actionban = [ -n "<application>" ] && app="app <application>"
+# ufw does "quickly process packets for which we already have a connection" in before.rules,
-            ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
+# therefore all related sockets should be closed
 # actionban is using `ss` to do so, this only handles IPv4 and IPv6.
-actionunban = [ -n "<application>" ] && app="app <application>"
+actionban = if [ -n "<application>" ] && ufw app info "<application>"
-              ufw delete <blocktype> from <ip> to <destination> $app
+            then
              ufw <add> <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
            else
              ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
            fi
            <kill>
 actionunban = if [ -n "<application>" ] && ufw app info "<application>"
              then
                ufw delete <blocktype> from <ip> to <destination> app "<application>"
              else
                ufw delete <blocktype> from <ip> to <destination>
              fi
 # Option: kill-mode
 # Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill)
 # Example: banaction = ufw[kill-mode=ss]
 kill-mode =
 # intern conditional parameter used to provide killing mode after ban:
 _kill_ =
 _kill_ss = ss -K dst "[<ip>]"
 # Option: kill
 # Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
 # Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
            banaction = ufw[kill='cutter "<ip>"']
 kill = <_kill_<kill-mode>>
 [Init]
-# Option: insertpos
+# Option: add
-# Notes.:  The position number in the firewall list to insert the block rule
+# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):
-insertpos = 1
+add = prepend
 # Option: blocktype
 # Notes.: reject or deny