Re: [Shorewall-users] Ipset with timeouts

Fri, 09 May 2014 19:07:16 -0700 

On 5/5/2014 12:11 PM, Emiliano Marino wrote:
> Hi! This is my first email to the this mail list.
>
> I am playing with ipsets and shorewall and I'm failing to create (using 
> shorewall) an ipset with a default timeout.
> When shorewall compiles it throws me a warning saying that the ipset does not 
> exist (it is right), and when it starts 
> at some stage of the init procedure it creates the ipset.
> I can't (or don't know how to) change shorewall command to create the ipset. 
> even tried to use the "Init" script, but 
> the ipset is already created when the script is executed.
>
> So, anybody has a suggestion?
> I know that if a make a script that create ipset before shorewall starts I do 
> the thing, but I prefer to do it inside 
> or with shorewall terms.
>
> Sorry my english :)
> Thanks in advance
>
>
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

I define my ipsets in /etc/shorewall/init:
modprobe ip_set
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
ipset -exist create fail2ban-Ip hash:ip timeout 86400

This is on Fedora 19 with SELinux.  SELinux will deny the 'ipset create' by 
default when run by systemctl.  I created a 
policy to allow it:
module my_shorewall_ipset 1.0;

require {
         type shorewall_t;
         type kernel_t;
         class system module_request;
}

#============= shorewall_t ==============

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow shorewall_t kernel_t:system module_request;


Bill


------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to