Comments (3)
sebres
commented on May 29, 2024
I tried overriding it in jail.local, but I must not be doing it right
I don't see how you were trying to override defaults (in your jail.local is nothing about banaction or even action).
But indeed setting of zone in default section would change nothing, unless this parameter supplied to the action (and it doesn't normally), see:
Lines 208 to 212 in 9bedc3c
Moreover I don't see where the banactions set to firewalld action (some distro-include?)...
Anyway, here you go:
[DEFAULT]
zone = internal
banaction = firewallcmd-rich-rules[zone='%(zone)s']
# or simply:
banaction = firewallcmd-rich-rules[zone=internal](don't know which banaction you use, so for example used firewallcmd-rich-rules here)
Another way would be to overwrite it in action.d/firewallcmd-common.local:
[Init]
zone = internal(this way it would be valid for all firewalld-* using firewalld-common include and its parameter zone).
from fail2ban.
lejeczek
commented on May 29, 2024
Are you sure @sebres that is a good/valid example to use/give?
From what I see - what comes with my Centos 9's packages - banaction firewallcmd-multiport does not need/use the concept of zone - it utilizes firewalld's --direct
When I look at nftables it seems that, that _firewallcmd-multiport (via firewalld) goes only into ip filter table, creating chains (only)there.
Moreover, with my f2b version v1.0.2 seems that:
zone = public
has no effect at all - eg. with firewallcmd-rich-rules (there firewalld utilizes zones , yes) rules (nftables as a result) always go into whatever firewalld has set as the default zone (& only that zone)
Nowhere I see any action (in default configs) utilize --zone and I wonder how would that/anything work?
from fail2ban.
sebres
commented on May 29, 2024
From what I see - what comes with my Centos 9's packages - banaction firewallcmd-multiport does not need/use the concept of zone - it utilizes firewalld's --direct
Hmm, indeed, firewallcmd-multiport and firewallcmd-allports example was not quite correct (it doesn't use parameter zone), so I updated it now.
However it was just an example to illustrate how one can supply a parameter to the action.
Basically I spoke about
and all derived actions used that parameter.
There is a PR #3641, where all the actions replaced with single firewallcmd actions, that may support zone (have no idea it does that right now).
from fail2ban.
Related Issues (20)
- [RFE]: fail2ban-client unban should print what it unbanned
- ERROR NOK: (13, 'Permission denied') HOT 1
- Unavailability of iptables-multiport on VPS HOT 2
- [BR]: fail2ban not banning specific IP HOT 2
- Error when trying to ban? HOT 1
- [BR]: Fail2ban for mssql not work filtering my log from docker containers log HOT 1
- [BR]: Long lines are let through to an email causing it to bounce HOT 4
- [BR]: Failed during configuration: Have not found any log file for jupyterlab jail (log not in /var/log) HOT 5
- [FR]: SoftEtherVPN stable edition HOT 1
- [RFE]: Document upgrade (in)compatibility HOT 1
- [FR]: nginx-limit-conn.conf HOT 1
- [BR]: wont run HOT 1
- [BR]: iptables action: no chains after start HOT 3
- [BR]: systemd-journal - Fail2Ban doesn't see all log records that journalctl does HOT 2
- unable to create multiple logs folders in logpath HOT 2
- [BR]: OOM (f2b/a.sshd invoked oom-killer) HOT 3
- Fail2ban unable to start in ubuntu 24.04 container HOT 2
- [RFE]: ASN/Country based ban using IPinfo's free IP to Country ASN MMDB database
- [BR]: ignoreregex are ignored if the line does not match "failregex" (making them more like "ignorematchingregex") HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.