Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD's PF) on Oracle Solaris 11.4 #3541

Open
steffen-moser opened this issue Jul 16, 2023 · 0 comments
Open

[RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD's PF) on Oracle Solaris 11.4 #3541

steffen-moser opened this issue Jul 16, 2023 · 0 comments
Labels
enhancement

Comments

@steffen-moser
Copy link

steffen-moser commented Jul 16, 2023
edited

Feature request type

Starting fail2ban v1.1.0.dev1 on Oracle Solaris 11.4 (SRU 58) using OpenBSD's PF framework (which has been adopted by Oracle) causes a flush of all static firewall rules which are given in /etc/firewall/pf.conf. While fail2ban itself works well on Solaris 11.4 and flawlessly blocks all SSH brute-force attacks, it's a drawback that I have to build workarounds to keep or rather reconstruct the static rules active after fail2ban's start. It would be nice to have commands fired by fail2ban, which keeps the existing firewall rules.

Description

The culprits are lines with "pfctl -f-" as they overwrite all active rules and substitute them with the standard input:

2023-07-16 14:12:34,357 fail2ban.CommandAction  [1949]: DEBUG     Set actionstart = 'echo "table <f2b-ssh> persist counters" | /usr/sbin/pfctl -f-\nport="0:65535"; if [ "$port" != "" ] && case "$port" in \\{*) false;; esac; then port="{$port}"; fi\necho "block quick proto tcp from <f2b-ssh> to any port $port" | /usr/sbin/pfctl -f-'
2023-07-16 14:12:34,357 fail2ban.CommandAction  [1949]: DEBUG     Set actionstop = '/usr/sbin/pfctl -sr 2>/dev/null | grep -v f2b-ssh | /usr/sbin/pfctl -f-\n/usr/sbin/pfctl -t f2b-ssh -T flush\n/usr/sbin/pfctl -t f2b-ssh -T kill'
2023-07-16 14:12:34,357 fail2ban.CommandAction  [1949]: DEBUG     Set actionflush = '/usr/sbin/pfctl -t f2b-ssh -T flush'
2023-07-16 14:12:34,358 fail2ban.CommandAction  [1949]: DEBUG     Set actioncheck = '/usr/sbin/pfctl -sr | grep -q f2b-ssh'
2023-07-16 14:12:34,358 fail2ban.CommandAction  [1949]: DEBUG     Set actionban = '/usr/sbin/pfctl -t f2b-ssh -T add <ip>'
2023-07-16 14:12:34,358 fail2ban.CommandAction  [1949]: DEBUG     Set actionunban = '/usr/sbin/pfctl -t f2b-ssh -T delete <ip>'

It seems that especially "actionstart" does trigger the problem at its first command:

echo "table <f2b-ssh> persist counters" | /usr/sbin/pfctl -f-

Considered alternatives

"actionstart" should read existing rules, save, and reapply them after creating the table. Alternatively, other approaches to creating the necessary table should be considered.
@steffen-moser steffen-moser changed the title [RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD'PF) on Oracle Solaris 11.4 [RFE]: Having fail2ban to preserve existing static firewall rules (OpenBSD's PF) on Oracle Solaris 11.4 Jul 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@steffen-moser