From fb666b69ffff45d8cbd6e381e5ffccfc6419d939 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 28 Nov 2013 23:35:05 +1100 Subject: [PATCH 1/4] BF: firewall-cmd-direct-new was too long. Thanks Joel. --- ChangeLog | 2 + config/action.d/firewall-cmd-direct-new.conf | 52 -------------------- 2 files changed, 2 insertions(+), 52 deletions(-) delete mode 100644 config/action.d/firewall-cmd-direct-new.conf diff --git a/ChangeLog b/ChangeLog index 58f8f84a..7a210b2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - IMPORTANT incompatible changes: - Fixes: + - Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name + name length. As per gh-395 - allow for ",milliseconds" in the custom date format of proftpd.log - allow for ", referer ..." in apache-* filter for apache error logs. - allow for spaces at the beginning of kernel messages. Closes gh-448 diff --git a/config/action.d/firewall-cmd-direct-new.conf b/config/action.d/firewall-cmd-direct-new.conf deleted file mode 100644 index 55b6762d..00000000 --- a/config/action.d/firewall-cmd-direct-new.conf +++ /dev/null @@ -1,52 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Edgar Hoch -# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. -# It uses "firewall-cmd" instead of "iptables". -# -# Because of the --remove-rules in stop this action requires firewalld-0.3.8+ - -[INCLUDES] - -before = iptables-blocktype.conf - -[Definition] - -actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- - firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- - -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- - firewall-cmd --direct --remove-rules ipv4 filter fail2ban- - firewall-cmd --direct --remove-chain ipv4 filter fail2ban- - -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' - -actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j - -actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban- 0 -s -j - -[Init] - -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: [ STRING ] -# -chain = INPUT_direct From 9e538927087d2d7382631063c6423af8a4a6b95e Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 29 Nov 2013 19:26:24 +1100 Subject: [PATCH 2/4] BF: did remove instead of move --- config/action.d/firewalld-cmd-new.conf | 52 ++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/action.d/firewalld-cmd-new.conf diff --git a/config/action.d/firewalld-cmd-new.conf b/config/action.d/firewalld-cmd-new.conf new file mode 100644 index 00000000..837352e9 --- /dev/null +++ b/config/action.d/firewalld-cmd-new.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Edgar Hoch +# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. +# It uses "firewall-cmd" instead of "iptables". +# +# Because of the --remove-rules in stop this action requires firewalld-0.3.8+ + +[INCLUDES] + +before = iptables-blocktype.conf + +[Definition] + +actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- + firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- + +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- + firewall-cmd --direct --remove-rules ipv4 filter f2b- + firewall-cmd --direct --remove-chain ipv4 filter f2b- + +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-[ \t]' + +actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j + +actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j + +[Init] + +# Default name of the chain +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] +# +protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: [ STRING ] +# +chain = INPUT_direct From 86a0a5962a9ed2c8c3c5b4fd7b75adb2c740b803 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 30 Nov 2013 08:05:20 +1100 Subject: [PATCH 3/4] BF: revert to fail2ban- prefix as f2b- was intended for 0.9 --- config/action.d/firewalld-cmd-new.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/action.d/firewalld-cmd-new.conf b/config/action.d/firewalld-cmd-new.conf index 837352e9..55b6762d 100644 --- a/config/action.d/firewalld-cmd-new.conf +++ b/config/action.d/firewalld-cmd-new.conf @@ -12,19 +12,19 @@ before = iptables-blocktype.conf [Definition] -actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- - firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- +actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- + firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- - firewall-cmd --direct --remove-rules ipv4 filter f2b- - firewall-cmd --direct --remove-chain ipv4 filter f2b- +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- + firewall-cmd --direct --remove-rules ipv4 filter fail2ban- + firewall-cmd --direct --remove-chain ipv4 filter fail2ban- -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-[ \t]' +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' -actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j +actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j -actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j +actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban- 0 -s -j [Init] From 56b6bf7d25766a47febba1a079629567a63892c7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 30 Nov 2013 10:30:29 +1100 Subject: [PATCH 4/4] ENH: reduce firewalld-cmd-new -> firewallcmd-new --- config/action.d/{firewalld-cmd-new.conf => firewallcmd-new.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/action.d/{firewalld-cmd-new.conf => firewallcmd-new.conf} (100%) diff --git a/config/action.d/firewalld-cmd-new.conf b/config/action.d/firewallcmd-new.conf similarity index 100% rename from config/action.d/firewalld-cmd-new.conf rename to config/action.d/firewallcmd-new.conf