Re: Firewall methods for fedora25
I've only got this working with sshd which was my main concern but I have the following that seems to work: In /etc/fail2ban/jail.d: $ ll total 16 -rw-r--r--. 1 root root 270 Oct 3 17:43 00-firewalld.conf -rw-r--r--. 1 root root 272 Oct 3 17:43 00-systemd.conf -rw-r--r--. 1 root root 40 Mar 19 2014 fedora-firewalld.local -rw-r--r--. 1 root root 48 Mar 1 2015 sshd.local $ cat fedora-firewalld.local [DEFAULT] banaction = firewallcmd-ipset $ cat sshd.local [DEFAULT] bantime = 3600 [sshd] enabled = true I agree though that the firewalld and fail2ban maintainers should get together and find a way to support this automatically. Thanks, Richard ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firewall methods for fedora25
On Fri, 25 Nov 2016 20:31:13 -0500 Alex wrote: > firewalld just doesn't seem to be appropriate for anything more than a > desktop. systemctl list-unit-files | fgrep firewall systemctl disable systemctl mask Now firewalld is an inert lump. systemctl enable iptables.service ip6tables.service Now you have iptables back. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firewall methods for fedora25
On 26.11.2016, Alex wrote: > firewalld just doesn't seem to be appropriate for anything more than a > desktop. I'd appreciate any ideas on how you build a firewall for > fedora servers, particularly as it relates to interoperating with > fail2ban and standard Internet services. Just disable it entirely and install shorewall. That's what I'm used to do. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firewall methods for fedora25
On 11/26/16 09:31, Alex wrote: > We typically offer submission, simap/spop, smtp, http/https, ssh, and > domain services on our Internet servers. We also need snmp and nrpe > for monitoring. Except for "nrpe" (maybe known by a different name?) all of the services you mention can be selected in the firewalld-applet and can also be specified in the firewall-cmd command line interface. -- You're Welcome Zachary Quinto ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firewall methods for fedora25
Alex writes: We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring. Does anyone have a set of reasonable firewalld rules and understand how it interacts with fail2ban that they could share? firewalld doesn't even include all these services by default, so it's necessary to do it one port at a time... firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services. Well, you can simply start with the stock server firewall configuration. I don't recall, offhand, which ports it opens by default. Simply look at the default configuration, and make sure that all those ports are open. That's it. pgpCve3xLQ05p.pgp Description: PGP signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Firewall methods for fedora25
I don't use fail2ban, so I can't vouch that these instructions work. That being said, a quick google search of "firewalld fail2ban" led me to the very first search result of: https://fedoraproject.org/wiki/Fail2ban_with_FirewallD Do those instructions work? On Fri, Nov 25, 2016 at 8:31 PM, Alexwrote: > Hi, > > I'm most familiar and comfortable with iptables, and use shorewall on > my firewalls. With fedora23, it appears the default has shifted to > firewalld. This has created a problem for me ever since, particularly > with trying to build a reasonable firewall on my mail servers, as well > as interacting with fail2ban. > > We typically offer submission, simap/spop, smtp, http/https, ssh, and > domain services on our Internet servers. We also need snmp and nrpe > for monitoring. > > Does anyone have a set of reasonable firewalld rules and understand > how it interacts with fail2ban that they could share? firewalld > doesn't even include all these services by default, so it's necessary > to do it one port at a time... > > firewalld just doesn't seem to be appropriate for anything more than a > desktop. I'd appreciate any ideas on how you build a firewall for > fedora servers, particularly as it relates to interoperating with > fail2ban and standard Internet services. > > Thanks, > Alex > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Firewall methods for fedora25
Hi, I'm most familiar and comfortable with iptables, and use shorewall on my firewalls. With fedora23, it appears the default has shifted to firewalld. This has created a problem for me ever since, particularly with trying to build a reasonable firewall on my mail servers, as well as interacting with fail2ban. We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring. Does anyone have a set of reasonable firewalld rules and understand how it interacts with fail2ban that they could share? firewalld doesn't even include all these services by default, so it's necessary to do it one port at a time... firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services. Thanks, Alex ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org