CERBERUS/fail2ban
1
0
Fork 0
mirror of https://github.com/fail2ban/fail2ban.git synced 2026-05-13 14:36:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 9fd9b55d7a into adfffe5267

Browse source
This commit is contained in:
Konstantin Babushkin 2026-04-14 21:50:58 +02:00 committed by GitHub
commit 625af8fac9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 36 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

18
config/action.d/firewallcmd-allports.conf
View file

@ -10,22 +10,22 @@ before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> <table> <chain> 0 -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -j f2b-<name>
firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#

6
config/action.d/firewallcmd-common.conf
View file

@ -25,6 +25,12 @@ protocol = tcp
# Values: STRING
family = ipv4
# Option: table
# Notes specifies the firewalld table to which the Fail2Ban rules should be
# added
# Values: [filter | nat | mangle | raw] Default: filter
table = filter
# Option: chain
# Notes specifies the firewalld chain to which the Fail2Ban rules should be
# added

6
config/action.d/firewallcmd-ipset.conf
View file

@ -19,11 +19,11 @@ before = firewallcmd-common.conf
[Definition]
actionstart = <ipsbackend_<ipsetbackend>/actionstart>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
firewall-cmd --direct --add-rule <family> <table> <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionflush = <ipsbackend_<ipsetbackend>/actionflush>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
<ipsbackend_<ipsetbackend>/actionstop>
@ -50,7 +50,7 @@ actionunban = ipset -exist del <ipmset> <ip>
actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
actionflush =
actionflush =
actionstop = firewall-cmd --direct --delete-ipset=<ipmset>

18
config/action.d/firewallcmd-multiport.conf
View file

@ -9,18 +9,18 @@ before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> <table> <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>

18
config/action.d/firewallcmd-new.conf
View file

@ -8,19 +8,19 @@ before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> <table> f2b-<name>
firewall-cmd --direct --add-rule <family> <table> f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> <table> <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> <table> <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> <table> f2b-<name>
firewall-cmd --direct --remove-chain <family> <table> f2b-<name>
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> <table> | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionban = firewall-cmd --direct --add-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> <table> f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#