mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-08 13:16:03 +02:00
fail2ban: Use a managed firewalld ipset
The firewalld direct interface is deprecated and will be removed in a future release[1]. Recently IPv4 connectivity inside docker containers on our runners broke and after some troubleshooting, the issue was pinpointed to the start of the fail2ban service. We also had issues in the past where sometimes firewalld had to be restarted after boot before network connectivity worked in libvirt on our runners. The issuse may be due to a bug in the way fail2ban use the direct interface, a bug in firewalld or a combination thereof. Let's just avoid the direct interface altogether and create a clean separation, with firewalld handling the blocking and fail2ban maintaining the ipset. [1] https://firewalld.org/documentation/man-pages/firewalld.direct.html
This commit is contained in:
parent
c370c9d06e
commit
95e19506ff
|
@ -0,0 +1,3 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<ipset type="hash:net">
|
||||
</ipset>
|
|
@ -36,8 +36,8 @@
|
|||
|
||||
- name: Install firewallcmd-allports.local
|
||||
template:
|
||||
src: "firewallcmd-allports.local.j2"
|
||||
dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
|
||||
src: "firewallcmd-ipset-allports.conf.j2"
|
||||
dest: "/etc/fail2ban/action.d/firewallcmd-ipset-allports.conf"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: '0644'
|
||||
|
@ -88,6 +88,17 @@
|
|||
notify:
|
||||
- Reload fail2ban jails
|
||||
|
||||
- name: Install fail2ban ipset for firewalld
|
||||
copy: src=fail2ban.xml dest=/etc/firewalld/ipsets/ owner=root group=root mode=0644
|
||||
register: result
|
||||
|
||||
- name: Restart firewalld
|
||||
systemd: name=firewalld state=restarted
|
||||
when: result.changed
|
||||
|
||||
- name: Add fail2ban ipset to the firewalld drop zone
|
||||
ansible.posix.firewalld: source=ipset:fail2ban zone=drop permanent=true immediate=true state=enabled
|
||||
|
||||
- name: Start and enable service
|
||||
systemd:
|
||||
name: "fail2ban.service"
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
#
|
||||
# {{ansible_managed}}
|
||||
#
|
||||
|
||||
# creates the requisite chains in firewalld when fail2ban starts instead
|
||||
# of creating them on first use (ie, when first IP is banned)
|
||||
[Definition]
|
||||
actionstart_on_demand = false
|
|
@ -0,0 +1,8 @@
|
|||
#
|
||||
# {{ansible_managed}}
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
actionban = firewall-cmd --ipset=fail2ban --add-entry=<ip>
|
||||
actionunban = firewall-cmd --ipset=fail2ban --remove-entry=<ip>
|
|
@ -27,7 +27,7 @@ sender = fail2ban@{{ansible_fqdn}}
|
|||
# fail2ban-client set unban <IP>
|
||||
# fail2ban-client set unban --all
|
||||
# see `fail2ban-client help` for full list of runtime commands
|
||||
banaction = firewallcmd-allports
|
||||
banaction = firewallcmd-ipset-allports
|
||||
|
||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||
# will not ban a host which matches an address in this list. Several addresses
|
||||
|
|
Loading…
Reference in New Issue