# Fail2Ban configuration file # # Author: Edgar Hoch # Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. # It uses "firewall-cmd" instead of "iptables". # firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19. [Definition] actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- # The following rule does not work, because firewalld keeps its own database of firewall rules. # firewall-cmd --direct --passthrough ipv4 -F fail2ban- # The better rule would be the following, but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 . # firewall-cmd --direct --flush-chain ipv4 filter fail2ban- # The following is a workaround using a loop to implement the --flush-chain command. actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- ( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban- | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban- $r ; done ) firewall-cmd --direct --remove-chain ipv4 filter fail2ban- actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j DROP actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban- 0 -s -j DROP [Init] # Defaut name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT_direct