You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Starting fail2ban v1.1.0.dev1 on Oracle Solaris 11.4 (SRU 58) using OpenBSD's PF framework (which has been adopted by Oracle) causes a flush of all static firewall rules which are given in /etc/firewall/pf.conf. While fail2ban itself works well on Solaris 11.4 and flawlessly blocks all SSH brute-force attacks, it's a drawback that I have to build workarounds to keep or rather reconstruct the static rules active after fail2ban's start. It would be nice to have commands fired by fail2ban, which keeps the existing firewall rules.
Description
The culprits are lines with "pfctl -f-" as they overwrite all active rules and substitute them with the standard input:
2023-07-16 14:12:34,357 fail2ban.CommandAction [1949]: DEBUG Set actionstart = 'echo "table <f2b-ssh> persist counters" | /usr/sbin/pfctl -f-\nport="0:65535"; if [ "$port" != "" ] && case "$port" in \\{*) false;; esac; then port="{$port}"; fi\necho "block quick proto tcp from <f2b-ssh> to any port $port" | /usr/sbin/pfctl -f-'
2023-07-16 14:12:34,357 fail2ban.CommandAction [1949]: DEBUG Set actionstop = '/usr/sbin/pfctl -sr 2>/dev/null | grep -v f2b-ssh | /usr/sbin/pfctl -f-\n/usr/sbin/pfctl -t f2b-ssh -T flush\n/usr/sbin/pfctl -t f2b-ssh -T kill'
2023-07-16 14:12:34,357 fail2ban.CommandAction [1949]: DEBUG Set actionflush = '/usr/sbin/pfctl -t f2b-ssh -T flush'
2023-07-16 14:12:34,358 fail2ban.CommandAction [1949]: DEBUG Set actioncheck = '/usr/sbin/pfctl -sr | grep -q f2b-ssh'
2023-07-16 14:12:34,358 fail2ban.CommandAction [1949]: DEBUG Set actionban = '/usr/sbin/pfctl -t f2b-ssh -T add <ip>'
2023-07-16 14:12:34,358 fail2ban.CommandAction [1949]: DEBUG Set actionunban = '/usr/sbin/pfctl -t f2b-ssh -T delete <ip>'
It seems that especially "actionstart" does trigger the problem at its first command:
"actionstart" should read existing rules, save, and reapply them after creating the table. Alternatively, other approaches to creating the necessary table should be considered.
The text was updated successfully, but these errors were encountered:
steffen-moser
changed the title
[RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD'PF) on Oracle Solaris 11.4
[RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD's PF) on Oracle Solaris 11.4
Jul 16, 2023
Feature request type
Starting fail2ban v1.1.0.dev1 on Oracle Solaris 11.4 (SRU 58) using OpenBSD's PF framework (which has been adopted by Oracle) causes a flush of all static firewall rules which are given in /etc/firewall/pf.conf. While fail2ban itself works well on Solaris 11.4 and flawlessly blocks all SSH brute-force attacks, it's a drawback that I have to build workarounds to keep or rather reconstruct the static rules active after fail2ban's start. It would be nice to have commands fired by fail2ban, which keeps the existing firewall rules.
Description
The culprits are lines with "pfctl -f-" as they overwrite all active rules and substitute them with the standard input:
It seems that especially "actionstart" does trigger the problem at its first command:
Considered alternatives
"actionstart" should read existing rules, save, and reapply them after creating the table. Alternatively, other approaches to creating the necessary table should be considered.
The text was updated successfully, but these errors were encountered: