It seems at least once a year I look through my logs to find that fail2ban is no longer functioning ever since the switch from iptables to firewalld...
I've spent way too much time on this but I really do try to fix things myself and learn more about the innards of linux.
I've spent way too much time on this but I really do try to fix things myself and learn more about the innards of linux.
Currently I'm getting:
ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): Set fail2ban-sshd doesn't exist. Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Well I had switched back to iptables from ipset due to this some time ago:
Which was "fixed' so I switched back to firewallcmd-ipset from iptables-multiport but the error persists.
Here's where it gets weird. I finally figured out I'm assuming that ipset is what's calling iptables (which is not intuitive by the error) and I see two things:
the "-n" option is supposed to have a number of seconds after it I'm not sure what effect just "-n" has.
It's looking for fail2ban-sshd, however...
Running "ipset list" I saw only one set, but it was called "f2b-sshd" instead... Ah HAH!
Except when I ran it again it there was no output so the set is "gone"???
Ok, funny how working on writing all this down sometimes helps... Found what I think it part of the problem.
Comparing firewallcmd-ipset.conf.old and firewallcmd-ipset.conf I see
[Definition] [Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <b | actionstart = ipset create <ipmset> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <c | firewall-cmd --direct --add-rule <family> filte
---
And then later in the new conf file:
ipmset = f2b-<name>
familyopt =
---
So the ipset create call was changed...
So how does firewalld know which set name to look for?
Thanks,
Richard
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
