Hello Igor!
Am 10.01.2017 um 17:54 schrieb Igor:
> 1. Suggestion:
> I've been (mostly) successfully using fail2ban on a FreeBSD box for some
> time, employing bsd-ipfw action to block the IPs.
> When it does that, fail2ban adds the table as the first rule (unless there
> are other tables):
>
> actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk
> 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if
> (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype>
> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>"
> )
>
> The problem with that behavior is that it adds the table rule with the
> number that correspond to the table number ($num), which in case of just
> one table is "1".
>
> In some cases the firewall configuration may have rules that must be first
> to prevent accidental lockdown of the server (especially if the server is
> remote). Typical rule numbering (by default) in ipfw goes with a step of
> 100. So, what would be very convenient is to add a configurable option for
> bsd-ipfw that would be the lowest number for the table rule.
>
> Something like
> ipfw_after_rule_number = 0
> in jail.conf ,
>
> with a possibility to specify
> ipfw_after_rule_number = 1000
> in jail.local
>
> and then in bsd-ipfw:
> rule_num = $num + $ipfw_after_rule_number
The default works just fine with a default ruleset in FreeBSD: the first
rules start at about 100 and the fail2ban rules are coming first.
If someone modifies the rule set for a reason, in my opinion he would be
better off if he adds the rules for fail2ban manually and disables the
actionstart / actionstop commands.
Though, it has some charme to have start rule number somewhere. I don't
know if they have to be in jail.conf or if they could be in the
bsd-ipfw.conf itself.
> 2. Existing problem:
>
> Also, what would make sense is to add a check if the specific rule already
> exists in the active ipfw, to avoid accidental duplication of rule
> numbers, as that would be
> a problem when the rule is being deleted by fail2ban when it stops
> (in actionstop). If more than one rule has the same number, fail2ban's
> actionstop will delete all rules with that number.
>
> As far as I can tell, this check is currently missing: fail2ban only
> checks if there is a table with the same number. The only
> reason there is no collision is that no other script is using rule #1, but
> can you rely on that?
Can we have multiple rules with the same rule number? I'm not sure of
that but then I never tried. I thought the awk script tries to fine the
next free rule number. If we can have multiple rules under the same
number then I agree: the script should continue until it finds a free
rule number.
This makes sense in any case, independent from your first point: there
might be other software which tries to add rules automatically.
Best regards
Christoph
PS: Because you are using fail2ban under FreeBSD:
I think that the default path for the apache log files are still wrong.
Can you confirm that? If yes, we should have upstream patch it.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
