On 04/07/2016 06:42 PM, [email protected] wrote: > > > I figure I'm most likely to bump into a fail2ban-using-shorewall user than a > shorewall-using fail2ban user, so thought I'd ask about this here . > > I'm getting started running > > shorewall-lite version > 4.6.13.4 > iptables -V > iptables v1.6.0 > ipset -V > ipset v6.29, protocol version: 6 > > on linux. I'd use version 5, but 4.6.13.4 looks like the last version my > distro provides. (Not sure what to do about that yet.) > > Anyway, I'm working on getting fail2ban dynamic firewalling setup for use > with my Postfix server. > > The latest version of fail2ban > > fail2ban-server -V > Fail2Ban v0.9.4.dev0 > > includes a "shorewall-ipset-proto6" action that monitors shorewall logs and > writes entries to an ipset (IIUC). > > The 'action' is a bit old. It still references BLACKLISTNEWONLY= instead of > the newer BLACKLIST= config in SW. > > The actions' commands are > > actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null; > then ipset -quiet -exist create f2b-<name> hash:ip > timeout <bantime>; > fi > actionstop = ipset flush f2b-<name> > actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist > actionunban = ipset del f2b-<name> <ip> -exist > > > While reading the SW docs to figure out how to update the action > > http://shorewall.net/blacklisting_support.htm > > I discovered SW's "Dynamic Blacklisting". Which seems afwully convenient. > > Is there any reason NOT to replace those 'raw' ipset commands with > equivalents that use SW's DYNAMIC BLACKLISTING? > > Better yet, is anyone here aware of an existing modern/current Fail2Ban > 'action' for using SW's Dynamic BL'ing?
Shorewall's dynamic blacklisting doesn't use ipsets -- it simply appends iptables rules to the 'dynamic' chain. So, using an ipset is a more efficient mechanism if you plan on banning a large number of addresses. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
