Hi,
I'm most familiar and comfortable with iptables, and use shorewall on my firewalls. With fedora23, it appears the default has shifted to firewalld. This has created a problem for me ever since, particularly with trying to build a reasonable firewall on my mail servers, as well as interacting with fail2ban.
We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring.
Does anyone have a set of reasonable firewalld rules and understand how it interacts with fail2ban that they could share? firewalld doesn't even include all these services by default, so it's necessary to do it one port at a time...
firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services.
Thanks, Alex
I don't use fail2ban, so I can't vouch that these instructions work. That being said, a quick google search of "firewalld fail2ban" led me to the very first search result of: https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
Do those instructions work?
On Fri, Nov 25, 2016 at 8:31 PM, Alex mysqlstudent@gmail.com wrote:
Hi,
I'm most familiar and comfortable with iptables, and use shorewall on my firewalls. With fedora23, it appears the default has shifted to firewalld. This has created a problem for me ever since, particularly with trying to build a reasonable firewall on my mail servers, as well as interacting with fail2ban.
We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring.
Does anyone have a set of reasonable firewalld rules and understand how it interacts with fail2ban that they could share? firewalld doesn't even include all these services by default, so it's necessary to do it one port at a time...
firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services.
Thanks, Alex _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
Alex writes:
We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring.
Does anyone have a set of reasonable firewalld rules and understand how it interacts with fail2ban that they could share? firewalld doesn't even include all these services by default, so it's necessary to do it one port at a time...
firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services.
Well, you can simply start with the stock server firewall configuration. I don't recall, offhand, which ports it opens by default. Simply look at the default configuration, and make sure that all those ports are open. That's it.
On 11/26/16 09:31, Alex wrote:
We typically offer submission, simap/spop, smtp, http/https, ssh, and domain services on our Internet servers. We also need snmp and nrpe for monitoring.
Except for "nrpe" (maybe known by a different name?) all of the services you mention can be selected in the firewalld-applet and can also be specified in the firewall-cmd command line interface.
On 26.11.2016, Alex wrote:
firewalld just doesn't seem to be appropriate for anything more than a desktop. I'd appreciate any ideas on how you build a firewall for fedora servers, particularly as it relates to interoperating with fail2ban and standard Internet services.
Just disable it entirely and install shorewall. That's what I'm used to do.
On Fri, 25 Nov 2016 20:31:13 -0500 Alex wrote:
firewalld just doesn't seem to be appropriate for anything more than a desktop.
systemctl list-unit-files | fgrep firewall
systemctl disable <all units listed above> systemctl mask <all units listed above>
Now firewalld is an inert lump.
systemctl enable iptables.service ip6tables.service
Now you have iptables back.
I've only got this working with sshd which was my main concern but I have the following that seems to work:
In /etc/fail2ban/jail.d: $ ll total 16 -rw-r--r--. 1 root root 270 Oct 3 17:43 00-firewalld.conf -rw-r--r--. 1 root root 272 Oct 3 17:43 00-systemd.conf -rw-r--r--. 1 root root 40 Mar 19 2014 fedora-firewalld.local -rw-r--r--. 1 root root 48 Mar 1 2015 sshd.local
$ cat fedora-firewalld.local [DEFAULT] banaction = firewallcmd-ipset
$ cat sshd.local [DEFAULT] bantime = 3600
[sshd] enabled = true
I agree though that the firewalld and fail2ban maintainers should get together and find a way to support this automatically.
Thanks, Richard
-
Alex -
Ed Greshko -
Eric Griffith -
Heinz Diehl -
Richard Shaw -
Sam Varshavchik -
Tom Horsley