On 11/26/2013 5:57 AM, Brian J. Murrell wrote:
> So, per a previous discussion on this list I have been using ipsets to
> manage a fail2ban populated blacklist. In the blacklist file I have:
>
>
> <IP ADDRESS 1>
> <IP ADDRESS 2>
> ...
> <IP ADDRESS N>
> +fail2ban
> +fail2ban_perm
>
>
> And then fail2ban has actions to insert and remove items from those
> ipsets. Good so far.
>
> One problem is though that I am finding that those ipsets are not
> automatically created. I noticed a section in my init that is creating
> ipsets:
>
> #START IPSET CREATION -- DO NOT REMOVE
> new_ipset() {
> local NAME="$1"
> ipset -L "$NAME" >/dev/null 2>&1 || {
> /bin/echo -e "$NAME...\c"
> ipset -N "$NAME" iphash
> }
> }
>
> /bin/echo -e "Creating any undefined ipsets...\c"
> new_ipset "foo"
> ...
> new_ipset "abc_gw"
> IGS_GATEWAY=$(detect_gateway $ABCIF)
> ipset -A abc_gw "$ABC_GATEWAY"
> echo
> #END IPSET CREATION -- DO NOT REMOVE
>
> That code looks like something I would write but I don't know where it
> came from since it appears to be getting inserted into init by the
> generated firewall script and I can't find it anywhere else.It is not generated by Shorewall; must have been created by some other product. > > In any case, a couple of questions: > > * are ipsets in general supposed to be created by shorewall? Shorewall only creates ipsets that define dynamic zones. It does not create other ipsets. > * are ipsets in the blacklist supposed to be created by > shorewall? No. > * what's the best known practices for saving *selected* ipsets so > that shorewall reloads on them on restart/reload? > * I have a number of ipsets which I don't think I want > restored on a shorewall restart/reload Create/load them in the 'init' user exit when $COMMAND = start; save them in the 'stopped' user exit. > > I'm using Shorewall 4.5.15 on Fedora 19 FWIW. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
