infrastructure

mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2026-03-07 17:06:19 +01:00

History

Levente Polyak 963c7cf31e fail2ban: cut existing connections after adding an ip to the drop ipset Firewalld ipset rules are only checked after the fast-track for ESTABLISHED,RELATED connection states. This means abusers with an already open connection can re-use them to keep sending malicious requests to the backend even if the ip is added to the drop ipset. To fix this loophole, cut the connection forcefully using conntrack, which will force the abuser to go through connection setup, where the drop ipset will be evaluate.	2025-10-13 19:09:12 +02:00
..
main.yml	fail2ban: cut existing connections after adding an ip to the drop ipset	2025-10-13 19:09:12 +02:00

fail2ban: cut existing connections after adding an ip to the drop ipset

Firewalld ipset rules are only checked after the fast-track for
ESTABLISHED,RELATED connection states. This means abusers with an
already open connection can re-use them to keep sending malicious
requests to the backend even if the ip is added to the drop ipset.

To fix this loophole, cut the connection forcefully using conntrack,
which will force the abuser to go through connection setup, where the
drop ipset will be evaluate.

2025-10-13 19:09:12 +02:00

main.yml

fail2ban: cut existing connections after adding an ip to the drop ipset

2025-10-13 19:09:12 +02:00