Skribent: Simon Dato: Til: dng Emne: Re: [DNG] nftables firewall and fail2ban replacement.
onefang <onefang_devuan@???> wrote:
> My main problem with fail2ban is that it fails to ban. Or rather it does
> ban, for that one rule I wrote myself, but not for any of the built in
> rules, but then it releases the ban, even though I have told shorewall to
> ban that particular IP. So the IP ends up being unbanned, coz fail2ban
> says so.
>
> Yes, I'm aware you can configure fail2ban to shift from temporary to
> permanent bans for persistent rule breakers. Would be good if the built
> in rules actually worked.
From experience, the built in rules worked last time I set a system up - worth checking all the config files as (again from memory) none of them are enabled by default.
But what I did for the persistent offenders was to write my own rule (don’t remember any details now) that basically looked for repeated bans and then blocked them for a long time. That allows for users (or yourself) accidentally triggering the first rule - you just have to wait for it to time out - but will ban persistent offenders quite quickly as they’ll still be hammering the system when the first rule times out.
Another thing to be aware of is that applying iptables drop rules to existing connections doesn’t stop the traffic. That’s important when trying to deal with UDP traffic - that may only apply when there is packet mangling (e.g. NAT) and so contract comes into play, or when the traffic terminates on the box you are trying to firewall it on. But TBH it’s a while now since I dealt with th and I don’t recall any details other than needing to clear entries in the contract table to actually stop traffic - I vaguely recall having to log onto the main router and drop it there sometimes.