On 22 March 2017 at 13:15, Igor <fail2ban-l...@komkon.org> wrote:
>
>
> On Wed, 22 Mar 2017, Dominic Raferd wrote:
>
>
>>
>> On 21 March 2017 at 14:36, Igor <fail2ban-l...@komkon.org> wrote:
>>
>>
>> Sorry for the "bump", but I am still hoping that someone from
>> the core
>> developers team would be able to respond.
>>
>> On Fri, 10 Mar 2017, Igor wrote:
>>
>> >
>> >
>> > I was testing a recent patch by Cristoph (#1689):
>> > https://github.com/fail2ban/fail2ban/issues/1689
>> > (Thank you, Christoph!)
>> >
>> >
>> > That patch contains a new variable "lowest_rule_num" whose
>> value is set
>> > in config/action.d/bsd-ipfw.conf
>> >
>> > I thought that setting its value in jail.local would override
>> its
>> > default value, but it turns out that fail2ban does not read
>> this
>> > value from jail.local (or from fail2ban.local), neither on
>> "reload" nor on
>> > a fresh startup.
>> >
>> > I am probably wrong, but I thought that one can set any
>> variable's value
>> > in jail.local (or fail2ban.local) and that will override their
>> default
>> > values.
>> >
>> > Is this a bug or by design?
>> > Is there a way that defines the "scope" of a configuration
>> variable
>> > (global vs. local) that would affect if the variable value can
>> be set by
>> > a user in jail.local or fail2ban.local ?
>>
>>
>> A variable set within a named jail (in jail.conf or jail.conf or
>> wherever)
>> will only affect that named jail. If you want a variable that can be used
>> in
>> any jail, set it in the [DEFAULT] section. For instance, see sebres' idea
>> at
>> https://github.com/fail2ban/fail2ban/issues/1464, and he states 'all the
>> parameters described in man [for] jail.conf can be used in [their]
>> respective jails. Default section contains the standard settings [which]
>> apply for all jails at once'.
>>
>>
>>
> Dominic, thank you for your response!
>
> While talking about "local" and "global" variables, I didn't mean the
> differentiation between a single jail and all jails. Rather, I meant
> variables that can be set only within a specific module (action in this
> case), and those that can be set in the "central" configuration files
> (jail.local or fail2ban.local).
>
> I have the variable set in jail.local in the [DFAULT] section, and it is
> totally ignored. fail2ban-client -d does not show that value set. Instead,
> it shows the value set in action.d/bsd-ipfw.conf (if it is set).
>
> So, I am trying to figure out what is needed for a variable defined and
> used in action.d/*.conf to make it possible to set its value in
> jail.local .
I set a variable in [DEFAULT] section of jail.local and then I use it in
one of the jails below (in same file):
[DEFAULT]
# we create a special variable 'common_ignoreip' so we can add to this for
specific jails below
# - idea found at https://github.com/fail2ban/fail2ban/issues/1464
common_ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
ignoreip = %(common_ignoreip)s
...
[postfix]
# add ignore MxToolbox ip for testing
ignoreip = %(common_ignoreip)s 64.20.227.128/28
Although my variable 'common_ignoreip' is not shown directly by
fail2ban-client -d it is used as I can see in output of fail2ban-client -d:
['set', 'postfix', 'addignoreip', '127.0.0.0/8']
['set', 'postfix', 'addignoreip', '10.0.0.0/8']
['set', 'postfix', 'addignoreip', '172.16.0.0/12']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'addignoreip', '64.20.227.128/28']
I don't know if variables set in a jail conf file can be read by an action
file - the man page says that jail.local can override action settings but
only (it seems) for [Init] section actions.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
