On 16/06/11 12:12, Nikolaos Milas wrote: > On 16/6/2011 12:34 πμ, Ed W wrote: > >> I don't see why fail2ban would have anything to do with ipv6 since it >> simply runs a script when something needs doing? Just adapt your script? >> Not having tried it, but possibly the regexps need tweaking also? > > Thanks Ed. You could be right. It could work, *if* fail2ban engine does > not do any particular internal processing with IP addresses in order to > implement the rules logic (which I doubt; for example, when it adds > iptables rules, it refers to ip address as <ip> - see below). In the > official fail2ban site: > http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, > we don't see any solution related to IPv6. > > If it's feasible, I wonder why we can't find anything about that in the > Internet or in fail2ban site. No one has done it yet? On the contrary, > we can find ample "complaints" that fail2ban won't work with IPv6.
There has been some discussion on the fail2ban mailing list about ipv6 support implementations lately. Please see http://sourceforge.net/mailarchive/forum.php?forum_name=fail2ban-users (thank you SF for the awesome UI). > Nowhere can we find ipv6 "filters" and "actions" for fail2ban. As long as fail2ban has no support for catching ipv6 ip addresses, there is no use for a filter that can handle these. Adaptation of the iptables actions to ip6tables would be trivial, though. > If someone (has time and) is sufficiently competent with > iptables/ip6tables, then he could try to prepare such actions (and > create filters with regex expressions to catch ipv6 events from logs > too) and then give it a try. > Again, most of the pros, cons and implementation issues came along on the mailing list. I suggest that you take your fail2ban issue there, since this is no dovecot issue :) -- Regards, Tom
