[Fail2ban-users] updated docs for "shorewall-ipset-proto6.conf" action, for latest shorewall version? BLACKLISTNEWONLY= vs BLACKLIST= ?

Thu, 07 Apr 2016 18:46:16 -0700 

I'm starting to get fail2ban setup for use with a Postfix server.

I'm running

        iptables -V
                iptables v1.6.0
        ipset -V
                ipset v6.29, protocol version: 6
        shorewall-lite version
                4.6.13.4

I built & installed latest fail2ban

        fail2ban-server -V
                Fail2Ban v0.9.4.dev0

The included "shorewall-ipset-proto6" action conf states

        cat ./action.d/shorewall-ipset-proto6.conf

        # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" 
(see
        # file /etc/shorewall/shorewall.conf). This means that when Fail2ban 
adds a
        # new shorewall rule to ban an IP address, that rule will affect only 
new
        # connections. So if the attacker goes on trying using the same 
connection
        # he could even log in. In order to get the same behavior of the iptable
        # action (so that the ban is immediate) the 
/etc/shorewall/shorewall.conf
        # file should me modified with "BLACKLISTNEWONLY=No".

and 

        # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
        # kernels, and you need Shorewall >= 4.5.5 to use this action.

>From the current shorewall docs

        http://shorewall.net/blacklisting_support.htm

state

        The BLACKLIST option (Added in Shorewall 4.5.13) lists the Netfilter 
connection-tracking states that blacklist rules are to be applied to (states 
are NEW, ESTABLISHED, RELATED, INVALID, NOTRACK). The BLACKLIST option 
supersedes the BLACKLISTNEWONLY option:

            BLACKLISTNEWONLY=No -- All incoming packets are checked against the 
blacklist. New blacklist entries can be used to terminate existing connections.

            BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new 
connection requests. Blacklists may not be used to terminate existing 
connections.

So, "In order to get the same behavior of the iptable action (so that the ban 
is immediate)", what setting is required for fail2ban to work?

Do we now need

        BLACKLIST="ALL"

or is 

        BLACKLIST="NEW,INVALID,UNTRACKED"

sufficient?

Jason

------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to