Bug#398739: attachment

Wed, 15 Nov 2006 16:20:29 -0800 

Thanks, both of you, for your time and patience!

also sprach Cyril Jaquier <[EMAIL PROTECTED]> [2006.11.15.2302 +0100]:
> Any option "my_option" in the section [Init] can then be replaced by a 
> tag "<my_option>" in the section [Definition] of the action. The tag 
> "<my_option>" will then be replaced by the value of "my_option" in 
> [Init]. BUT, you can override the value of "my_option" in 
> jail.[conf|local] like this:
> 
> action = my_action[my_option = "new_value"]
> 
> If you use:
> 
> action = my_action
> 
> in jail.[conf|local], then the tags in "my_action" will be replaced by 
> their default values defined in [Init].

Yes, but the it's also impossible to override them for each jail.

also sprach Cyril Jaquier <[EMAIL PROTECTED]> [2006.11.15.2314 +0100]:
> ==> /etc/fail2ban/jail.local <==
> [DEFAULT]
> action = iptables-flex[name=%(__name__)s, port=%(port)s, 
> fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, 
> pre_end_commands=%(pre_end_commands)s]
> fwchain = INPUT
> [ssh]
> fwchain = ssh-tarpit
> ==> /etc/fail2ban/action.d/iptables-flex.local <==
> [Definition]
> actionstart = iptables -N fail2ban-<name>
>               iptables -I <fwchain> -m state --state NEW -p <protocol> 
> --dport <port> -j fail2ban-<name>
>               iptables -I <fwchain> -j <whitelist>
> actionstop  = iptables -D <fwchain> -j <whitelist>
>               iptables -D <fwchain> -m state --state NEW -p <protocol> 
> --dport <port> -j fail2ban-<name>
>               iptables -F fail2ban-<name>
>               iptables -X fail2ban-<name>
> actioncheck = iptables -L <fwchain> | grep -q fail2ban-<name>
> actionban   = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
> actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
> [Init]
> whitelist = ssh-whitelist
> fwchain = INPUT
> name = default
> port = ssh
> protocol = tcp

The fwchain parameter defined in [Init] will never get used because
the fwchain=%(fwchain)s parameter to the action script will always
override it with the value from the jail, or from the [DEFAULT]
section in jail.{local,conf} if the jail does not define it.

-- 
 .''`.   martin f. krafft <[EMAIL PROTECTED]>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply via email to