My setup is the follow:
fail2ban
with some jails (working fine) using FirewallD
to block the caught IPs.
Here is my default Firewall:
myzone
target: default
icmp-block-inversion: no
interfaces:
sources:
services: rcsa dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept
So the ports 80 and 443/tcp are open.
Then, i trigger some fail2ban rules (using an online proxy) and i get this in firewall:
myzone
target: default
icmp-block-inversion: no
interfaces:
sources:
services: rcsa dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept
rule family="ipv4" source address="37.58.58.206" port port="http" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="37.58.58.206" port port="https" protocol="tcp" reject type="icmp-port-unreachable"
So, 2 new rules are added. Fine. Still, that IP is not rejected at all and continues to flood my server despite of those rules in FirewallD.
Is there something wrong with this? I'm switching from UFW to FirewallD.
Best Answer
Debian/Ubuntu don't have a default banaction for firewalld because that's not the default firewall for those distributions.
You should set
banaction = firewallcmd-ipset
, to make an ipset that fail2ban will insert banned addresses into, and which will then be called from the firewall. Red Hat systems already include this configuration bit, because they use firewalld by default. So you can simply create the same file that they include, at/etc/fail2ban/jail.d/00-firewalld.conf