Bug#709614: fail2ban: shorewall action fails to ban
Package: fail2ban Version: 0.8.9-1 Severity: normal Tags: upstream patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Maintainer, The shorewall.conf action supplied with fail2ban doesn't actually work - hosts are not added to shorewall - due to a misconfiguration. The actionban in the file is shorewall blocktype ip, but fail2ban only translates the ip token. As a result the command run is shorewall blocktype 192.0.2.1, for example. This results in shorewall blocktype 78.47.79.193 returned 200 in fail2ban.log. Changing blocktype to %(blocktype)s allows the blocktype parameter to be properly substituted. - -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.8.0 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fail2ban depends on: ii lsb-base 4.1+Debian9 ii python2.7.3-5 Versions of packages fail2ban recommends: ii iptables 1.4.14-3.1 ii python-pyinotify 0.9.3-1.1 ii whois 5.0.25 Versions of packages fail2ban suggests: ii bsd-mailx [mailx]8.1.2-0.2006cvs-1 ii python-gamin 0.1.10-4.1 ii rsyslog [system-log-daemon] 5.8.11-3 - -- Configuration Files: /etc/fail2ban/action.d/shorewall.conf changed: [Definition] actionstart = actionstop = actioncheck = actionban = /sbin/shorewall %(blocktype)s ip actionunban = /sbin/shorewall allow ip blocktype = reject - -- no debconf information -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRn1mvAAoJEKB7YbRsd8TGf5IP/2x9VeUmNR32DfZnKyXvT+0R hTL+/pK0EREwHteD9o/OcsZiNCySs0CwzuS8Jf0VkZ4T/RXIVmDCS/1O0YVNCKox s4eybYypImfb2kvobA9ooI7P4QfDWKaHHuXmnacDqJqZz9DkrkSoGgFX0BTmLKz4 gWCtZViOJQSiomq53fQsxJucpVvLHPPTTBVLvNz4yDhg4I39A5TA/xGUxwumyrvq GYQB9p7YGbOgVrDBRFKqFLHX6ktP/kINrpUVsw4ptRVB8KLJnpJADQE5cajiXRdH C2QW9U4UUgs0TmzTRViLAohq/YQc1joYqPxkMSD7o44gVcAnOfbju5728dVYMUKh CzqaJt/gAvpYKZfEso6Fzv1bxokBpPPVGqN14a35h+nb8Tq0GYbLUZJFcuiSAvXk kIbBG+jxjxdUxGlUyLw1tmuKgKYantkauqNu7kQTlpDJnYOysr3QLuDv1UynRAOU EvTVB3AjfddP+11ZZbrAvFrIs9RW/MambhGMDRqz9brjqxlh8h1S3HJJA2RQJA9M qwnjxEiYSRJkg0BjKJCaBUxXGspYl+WDM2jN740u82hpCHWHrgFw8idqWBooxCMe i0m9XPbj5NtB6fZAreeGkYl7D9k/t86canqGkI/Zex+QtTvWolkf7WXn7RJ8sDPc cEsvSD8QCmIUWfCebZty =ftwI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709614: fail2ban: shorewall action fails to ban
Hi Paul -- thanks a bunch the problem is that it should have been defined in [Init] section, not in [Definition] of action files. Switching to string interpolations would not be a full proper solution since that would disallow tune up from jail.conf I believe. I will have it fixed upstream asap (few more actions are effected as well) Cheers On Fri, 24 May 2013, Paul Saunders wrote: Package: fail2ban Version: 0.8.9-1 Severity: normal Tags: upstream patch Dear Maintainer, The shorewall.conf action supplied with fail2ban doesn't actually work - hosts are not added to shorewall - due to a misconfiguration. The actionban in the file is shorewall blocktype ip, but fail2ban only translates the ip token. As a result the command run is shorewall blocktype 192.0.2.1, for example. This results in shorewall blocktype 78.47.79.193 returned 200 in fail2ban.log. Changing blocktype to %(blocktype)s allows the blocktype parameter to be properly substituted. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.8.0 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fail2ban depends on: ii lsb-base 4.1+Debian9 ii python2.7.3-5 Versions of packages fail2ban recommends: ii iptables 1.4.14-3.1 ii python-pyinotify 0.9.3-1.1 ii whois 5.0.25 Versions of packages fail2ban suggests: ii bsd-mailx [mailx]8.1.2-0.2006cvs-1 ii python-gamin 0.1.10-4.1 ii rsyslog [system-log-daemon] 5.8.11-3 -- Configuration Files: /etc/fail2ban/action.d/shorewall.conf changed: [Definition] actionstart = actionstop = actioncheck = actionban = /sbin/shorewall %(blocktype)s ip actionunban = /sbin/shorewall allow ip blocktype = reject -- no debconf information -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
