From c7a86b4616ef1bd43cf96874710b53b42d065684 Mon Sep 17 00:00:00 2001 From: sebres Date: Sat, 29 May 2021 22:59:55 +0200 Subject: [PATCH] action.d/firewallcmd-ipset.conf: amend to #2620: - combines actions `firewallcmd-ipset` and `firewallcmd-ipset-native` (parameter `ipsettype=firewalld`); - IPv6-capability for firewalld ipset; - no internal timeout handling by default; - no permanent rules yet --- config/action.d/firewallcmd-ipset-native.conf | 77 ------------------- config/action.d/firewallcmd-ipset.conf | 43 +++++++++-- 2 files changed, 38 insertions(+), 82 deletions(-) delete mode 100644 config/action.d/firewallcmd-ipset-native.conf diff --git a/config/action.d/firewallcmd-ipset-native.conf b/config/action.d/firewallcmd-ipset-native.conf deleted file mode 100644 index 757d46ad..00000000 --- a/config/action.d/firewallcmd-ipset-native.conf +++ /dev/null @@ -1,77 +0,0 @@ -# Fail2Ban action file for firewall-cmd using native ipset implementation -# -# This requires: -# ipset (package: ipset) -# firewall-cmd (package: firewalld) -# -# This is for ipset protocol 6 (and hopefully later) (ipset v6.14). -# Use ipset -V to see the protocol and version. -# -# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. -# -# If you are running on an older kernel you make need to patch in external -# modules. - -[INCLUDES] - -before = firewallcmd-common.conf - -[Definition] - -actionstart = firewall-cmd --permanent --new-ipset= --type=hash:ip --option=timeout= - firewall-cmd --reload - firewall-cmd --direct --add-rule filter 0 -m set --match-set src -j - -actionstop = firewall-cmd --direct --remove-rule filter 0 -m set --match-set src -j - firewall-cmd --permanent --delete-ipset= - firewall-cmd --reload - -actionban = firewall-cmd --ipset= --add-entry= - -actionunban = firewall-cmd --ipset= --remove-entry= - -[Init] - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: [ STRING ] -# -chain = INPUT_direct - -# Option: bantime -# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) -# Values: [ NUM ] Default: 600 - -bantime = 86400 - -# Option: actiontype -# Notes.: defines additions to the blocking rule -# Values: leave empty to block all attempts from the host -# Default: Value of the multiport -actiontype = - -# Option: allports -# Notes.: default addition to block all ports -# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] -# for all protocols: banaction = firewallcmd-ipset[actiontype=""] -allports = -p - -# Option: multiport -# Notes.: addition to block access only to specific ports -# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] -multiport = -p -m multiport --dports - -ipmset = f2b- -familyopt = - -[Init?family=inet6] - -ipmset = f2b-6 -familyopt = family inet6 - - -# DEV NOTES: -# -# Author: Edgar Hoch and Daniel Black and Mihail Politaev -# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index c89a0243..e1cb67e7 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -18,21 +18,46 @@ before = firewallcmd-common.conf [Definition] -actionstart = ipset create hash:ip timeout +actionstart = /actionstart> firewall-cmd --direct --add-rule filter 0 -m set --match-set src -j -actionflush = ipset flush +actionflush = /actionflush> actionstop = firewall-cmd --direct --remove-rule filter 0 -m set --match-set src -j - ipset destroy + /actionstop> -actionban = ipset add timeout -exist +actionban = /actionban> # actionprolong = %(actionban)s +actionunban = /actionunban> + +[ipstype_ipset] + +actionstart = ipset create hash:ip timeout + +actionflush = ipset flush + +actionstop = ipset destroy + +actionban = ipset add timeout -exist + actionunban = ipset del -exist +[ipstype_firewalld] + +actionstart = firewall-cmd --direct --new-ipset= --type=hash:ip --option=timeout= + +# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd +actionflush = + +actionstop = firewall-cmd --direct --delete-ipset= + +actionban = firewall-cmd --ipset= --add-entry= + +actionunban = firewall-cmd --ipset= --remove-entry= + [Init] # Option: chain @@ -56,6 +81,12 @@ ipsettime = 0 # banaction = %(known/banaction)s[ipsettime=''] timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) +# Option: ipsettype +# Notes.: defines type of ipset used for match-set (firewalld or ipset) +# Values: firewalld or ipset +# Default: ipset +ipsettype = ipset + # Option: actiontype # Notes.: defines additions to the blocking rule # Values: leave empty to block all attempts from the host @@ -75,14 +106,16 @@ multiport = -p -m multiport --dports "$(echo '' | sed s/:/-/g)" ipmset = f2b- familyopt = +firewalld_familyopt = [Init?family=inet6] ipmset = f2b-6 familyopt = family inet6 +firewalld_familyopt = --option=family=inet6 # DEV NOTES: # -# Author: Edgar Hoch and Daniel Black +# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness