Why FirewallD is not blocking IPs with 'reject' rules?

Question

My setup is the follow:

fail2ban with some jails (working fine) using FirewallD to block the caught IPs.

Here is my default Firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept

So the ports 80 and 443/tcp are open.

Then, i trigger some fail2ban rules (using an online proxy) and i get this in firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="37.58.58.206" port port="http" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="37.58.58.206" port port="https" protocol="tcp" reject type="icmp-port-unreachable"

So, 2 new rules are added. Fine. Still, that IP is not rejected at all and continues to flood my server despite of those rules in FirewallD.

Is there something wrong with this? I'm switching from UFW to FirewallD.

You should use firewallcmd-ipset instead. I'm not even sure why anybody ever wrote such a banaction to make rich rules. — Michael Hampton, Jan 28 '19 at 18:14
I've also tried `firewallcmd-ipset` but i don't get better results... With ipset, i can't find any entry :( — acs-f, Jan 28 '19 at 18:16

score 3 · Answer 1 · answered Jan 28 '19 at 18:15

3

Debian/Ubuntu don't have a default banaction for firewalld because that's not the default firewall for those distributions.

You should set banaction = firewallcmd-ipset, to make an ipset that fail2ban will insert banned addresses into, and which will then be called from the firewall. Red Hat systems already include this configuration bit, because they use firewalld by default. So you can simply create the same file that they include, at /etc/fail2ban/jail.d/00-firewalld.conf

[DEFAULT]
banaction = firewallcmd-ipset

answered Jan 28 '19 at 18:15

Michael Hampton

237,123
42
477
940

I've tried with `firewallcmd-ipset` but it does not work either. Here is the Fail2ban output with IPSet: `2019-01-28 19:18:35,606 fail2ban.filter [16322]: INFO [login-errors] Found 68.235.61.35 - 2019-01-28 19:18:35 2019-01-28 19:18:35,696 fail2ban.actions [16322]: NOTICE [login-errors] Ban 68.235.61.35` But an `ipset list` returns nothing. – acs-f Jan 28 '19 at 18:20
I think you've got some other problem, then. You should look at the generated iptables rules. – Michael Hampton Jan 28 '19 at 18:21

Why FirewallD is not blocking IPs with 'reject' rules?

1 Answers1