mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
add-aurweb-tracing
infrastructure/roles/fail2ban/templates/jail.local.j2
Kristian Klausen 95e19506ff
fail2ban: Use a managed firewalld ipset 
The firewalld direct interface is deprecated and will be removed in a
future release[1]. Recently IPv4 connectivity inside docker containers
on our runners broke and after some troubleshooting, the issue was
pinpointed to the start of the fail2ban service. We also had issues in
the past where sometimes firewalld had to be restarted after boot before
network connectivity worked in libvirt on our runners.

The issuse may be due to a bug in the way fail2ban use the direct
interface, a bug in firewalld or a combination thereof. Let's just avoid
the direct interface altogether and create a clean separation, with
firewalld handling the blocking and fail2ban maintaining the ipset.

[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html
2024-02-18 22:57:42 +01:00

39 lines
1.3 KiB
Django/Jinja
Raw Permalink Blame History

#
# {{ansible_managed}}
#
[DEFAULT]
findtime = {{fail2ban_findtime}}
bantime = {{fail2ban_bantime}}
maxretry = {{fail2ban_maxretry}}
# don't trust dns
usedns = no
# if f2b ever needs to send emails, send them to root and make sure the sender
# address clearly identifies the host the message originated from
destemail = root
sender = fail2ban@{{ansible_fqdn}}
# use firewalld to manage bans - if we don't specify this, then fail2ban will
# default to use iptables, which we don't want as our systems are running
# firewalld with nftables backend.
#
# check current rules added to firewalld while fail2ban is running:
# firewall-cmd --direct --get-all-rules
# useful runtime commands include:
# fail2ban-client set <JAIL> banip <IP>
# fail2ban-cleint set <JAIL> unbanip <IP>
# fail2ban-client set unban <IP>
# fail2ban-client set unban --all
# see `fail2ban-client help` for full list of runtime commands
banaction = firewallcmd-ipset-allports
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1
{% for host in groups['all'] %}
{{ hostvars[host]['inventory_hostname'] }}
{% endfor %}
View Git Blame Copy Permalink