:: Re: [DNG] nftables firewall and fai…
Top Page
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: dng
Subject: Re: [DNG] nftables firewall and fail2ban replacement.
Le 12/01/2022 à 14:49, onefang a écrit :
> I've been using shorewall and fail2ban for a while now, but nftables is
> soon replacing iptables, so it's time to consider some options.
>
> Apparently fail2ban already supports nftables, but shorewall doesn't and
> wont -
>
> https://shorewall-users.narkive.com/aujuSpJ1/nftables-on-the-roadmap
>
> My main problem with fail2ban is that it fails to ban. Or rather it does
> ban, for that one rule I wrote myself, but not for any of the built in
> rules, but then it releases the ban, even though I have told shorewall to
> ban that particular IP. So the IP ends up being unbanned, coz fail2ban
> says so.
>
> Yes, I'm aware you can configure fail2ban to shift from temporary to
> permanent bans for persistent rule breakers. Would be good if the built
> in rules actually worked.
>
> Right now there's a particular IP hitting that one rule, and no matter
> what I do, even completely zapping fail2ban's database and leaving it
> turned off, that IP keeps bypassing my firewall somehow.
>
> So I'll eventually need a replacement for shorewall anyway, and I'd like
> something similar to fail2ban that doesn't fail to ban. So the two
> replacements have to get along with each other. None of this "bad IP can
> get through coz the two fight over it" bullshit.
>
> This has to run on my servers and desktop, so no GUI. I'm an experienced
> sysadmin, text config is good.
>
> Any suggestions?
>

    My experience/understanding of fail2ban is that it's intended
against attackers "smart" enough to periodically change their address.
For fix addresses, custom iptables rules was the "simple" way to go. Now
I guess it's custom nftables rules.

--     Didier