Re: Firewall methods for fedora25

[Richard Shaw]

I've only got this working with sshd which was my main concern but I have
the following that seems to work:

In /etc/fail2ban/jail.d:
$ ll
total 16
-rw-r--r--. 1 root root 270 Oct  3 17:43 00-firewalld.conf
-rw-r--r--. 1 root root 272 Oct  3 17:43 00-systemd.conf
-rw-r--r--. 1 root root  40 Mar 19  2014 fedora-firewalld.local
-rw-r--r--. 1 root root  48 Mar  1  2015 sshd.local

$ cat fedora-firewalld.local
[DEFAULT]
banaction = firewallcmd-ipset

$ cat sshd.local
[DEFAULT]
bantime = 3600

[sshd]
enabled = true


I agree though that the firewalld and fail2ban maintainers should get
together and find a way to support this automatically.

Thanks,
Richard
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firewall methods for fedora25

[Tom Horsley]

On Fri, 25 Nov 2016 20:31:13 -0500
Alex wrote:

> firewalld just doesn't seem to be appropriate for anything more than a
> desktop.

systemctl list-unit-files | fgrep firewall

systemctl disable 
systemctl mask 

Now firewalld is an inert lump.

systemctl enable iptables.service ip6tables.service

Now you have iptables back.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firewall methods for fedora25

[Heinz Diehl]

On 26.11.2016, Alex wrote: 

> firewalld just doesn't seem to be appropriate for anything more than a
> desktop. I'd appreciate any ideas on how you build a firewall for
> fedora servers, particularly as it relates to interoperating with
> fail2ban and standard Internet services.

Just disable it entirely and install shorewall. That's what I'm used
to do.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firewall methods for fedora25

[Ed Greshko]

On 11/26/16 09:31, Alex wrote:
> We typically offer submission, simap/spop, smtp, http/https, ssh, and
> domain services on our Internet servers. We also need snmp and nrpe
> for monitoring.

Except for "nrpe" (maybe known by a different name?) all of the services you 
mention can
be selected in the firewalld-applet and can also be specified in the 
firewall-cmd command
line interface.

-- 
You're Welcome Zachary Quinto
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firewall methods for fedora25

[Sam Varshavchik]

Alex writes:


We typically offer submission, simap/spop, smtp, http/https, ssh, and
domain services on our Internet servers. We also need snmp and nrpe
for monitoring.

Does anyone have a set of reasonable firewalld rules and understand
how it interacts with fail2ban that they could share? firewalld
doesn't even include all these services by default, so it's necessary
to do it one port at a time...

firewalld just doesn't seem to be appropriate for anything more than a
desktop. I'd appreciate any ideas on how you build a firewall for
fedora servers, particularly as it relates to interoperating with
fail2ban and standard Internet services.


Well, you can simply start with the stock server firewall configuration. I  
don't recall, offhand, which ports it opens by default. Simply look at the  
default configuration, and make sure that all those ports are open. That's  
it.




pgpCve3xLQ05p.pgp
Description: PGP signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firewall methods for fedora25

[Eric Griffith]

I don't use fail2ban, so I can't vouch that these instructions work. That
being said, a quick google search of "firewalld fail2ban" led me to the
very first search result of:
https://fedoraproject.org/wiki/Fail2ban_with_FirewallD


Do those instructions work?

On Fri, Nov 25, 2016 at 8:31 PM, Alex  wrote:

> Hi,
>
> I'm most familiar and comfortable with iptables, and use shorewall on
> my firewalls. With fedora23, it appears the default has shifted to
> firewalld. This has created a problem for me ever since, particularly
> with trying to build a reasonable firewall on my mail servers, as well
> as interacting with fail2ban.
>
> We typically offer submission, simap/spop, smtp, http/https, ssh, and
> domain services on our Internet servers. We also need snmp and nrpe
> for monitoring.
>
> Does anyone have a set of reasonable firewalld rules and understand
> how it interacts with fail2ban that they could share? firewalld
> doesn't even include all these services by default, so it's necessary
> to do it one port at a time...
>
> firewalld just doesn't seem to be appropriate for anything more than a
> desktop. I'd appreciate any ideas on how you build a firewall for
> fedora servers, particularly as it relates to interoperating with
> fail2ban and standard Internet services.
>
> Thanks,
> Alex
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Firewall methods for fedora25

[Alex]

Hi,

I'm most familiar and comfortable with iptables, and use shorewall on
my firewalls. With fedora23, it appears the default has shifted to
firewalld. This has created a problem for me ever since, particularly
with trying to build a reasonable firewall on my mail servers, as well
as interacting with fail2ban.

We typically offer submission, simap/spop, smtp, http/https, ssh, and
domain services on our Internet servers. We also need snmp and nrpe
for monitoring.

Does anyone have a set of reasonable firewalld rules and understand
how it interacts with fail2ban that they could share? firewalld
doesn't even include all these services by default, so it's necessary
to do it one port at a time...

firewalld just doesn't seem to be appropriate for anything more than a
desktop. I'd appreciate any ideas on how you build a firewall for
fedora servers, particularly as it relates to interoperating with
fail2ban and standard Internet services.

Thanks,
Alex
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org