Bug#398739: Re: Re: Re: Bug#398739: attachment

Wed, 15 Nov 2006 10:20:17 -0800 

also sprach Yaroslav Halchenko <[EMAIL PROTECTED]> [2006.11.15.1854 +0100]:
> Please find my fix to your configuration attached...

We're going in circles... almost. If you now look at the original
configuration I submitted, it's almost exactly the same as the one
you have given me, except that you also set the defaults for the
three parameters in the jail.local/[DEFAULT] section. This fixes it.

For completeness, here's what I now use:

==> /etc/fail2ban/jail.local <==
[DEFAULT]
action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, 
post_start_commands=%(post_start_commands)s, 
pre_end_commands=%(pre_end_commands)s]
fwchain = INPUT
post_start_commands = :
pre_end_commands = :
[ssh]
fwchain = ssh-tarpit
post_start_commands = iptables -I %(fwchain)s -j ssh-whitelist
pre_end_commands = iptables -D %(fwchain)s -j ssh-whitelist
==> /etc/fail2ban/action.d/iptables-flex.local <==
[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -I <fwchain> -m state --state NEW -p <protocol> --dport 
<port> -j fail2ban-<name>
              <post_start_commands>
actionstop  = <pre_end_commands>
              iptables -D <fwchain> -m state --state NEW -p <protocol> --dport 
<port> -j fail2ban-<name>
              iptables -F fail2ban-<name>
              iptables -X fail2ban-<name>
actioncheck = iptables -L <fwchain> | grep -q fail2ban-<name>
actionban   = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
==> END <==

So what is the Init section for? I wish I could just define
defaults in the action file and still have them be overrideable from
the jail configuration.

> > So my question is how I can override the defaults from the jail
> > configuration.
> simply by redefining in jail.local. in your case you are not only
> redefining it but trying to introduce additional parameters into
> action and mixing up parameters and interpolations

I think I understand now. Thanks for seeing me through this.

Either we'll close this bug now, or retitle it as a wishlist for
being able to do the above.

-- 
 .''`.   martin f. krafft <[EMAIL PROTECTED]>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply via email to