Hi Yaroslav.

Sorry for my late reply.

On Thu, 2009-07-09 at 00:12 -0400, Yaroslav Halchenko wrote:
> Should we still discuss the issue of the order of fail2ban vs
> iptables/firewall startup, and possible fail2ban-aware setup of
> firewall.  imho the problem is clearly not of important severity,
> and just a matter of documentation and common sense.
Not sure about this,.. my solution is apparently a little bit
complicated....

In it's default config, fail2ban uses -I to add the rule (for jumping to
it's block-chain ) to INPUT.
So the rule is added as the first of the chain.


Depending on the User's setup this can lead to problems in both cases
(IMHO), either if the other rules are added before or afterward.

Imagine a user want's to set a global whitelist for some IP with ssh,
but fail2ban comes first,.. this whitlist won't work.

Or the other way, a user has DENY-policy,... but a rule that allows ssh.
If this rule comes before fail2ban,... it (fail2ban) won't work.


One could think about using the upcoming dependency based sys-rc,... but
I think the above problems will remain.

My hook-based solution has the advantage the the user can/must control
where fail2ban's rules are inserted,... and the disadvantage that he
must do so ;)



Best wishes,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to