Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewalld actions not working with UDP #2948

Open
2 of 3 tasks
alex-eri opened this issue Feb 23, 2021 · 4 comments
Open
2 of 3 tasks

Firewalld actions not working with UDP #2948

alex-eri opened this issue Feb 23, 2021 · 4 comments
Labels
3rd party issue

Comments

@alex-eri
Copy link

Environment:

  • Fail2Ban version (including any possible distribution suffixes): 0.11.1-1
  • OS, including release name/version: Ubuntu/20.04.2
  • Fail2Ban installed via OS/distribution mechanisms
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

Firewalld inserts

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT

So connection if connection in conntrack - fail2ban cant ban it.

Steps to reproduce

It related on SIP servers first of all because sip-servers cant reset udp connections. Also affects affects all other datagram servers.

Expected behavior

We need to move firewalld actions to mangle or raw tables.
@sebres
Copy link
Contributor

sebres commented Feb 27, 2021

The issue is known, and the conclusion at the moment it is rather an issue of firewalld (at least with iptables backend), see
#2503 (comment) and below.
Shortly the solution is to reconfigure firewalld chains (with iptables or whatever to remove rules affecting established connections) or to switch backend of firewalld to nftables or add some additional action dropping or killing connection of IPs that going banned.
Anyway I don't see it at the moment as fail2ban issue, just because firewalld (mis)configuring it that way for established connections, so quasi avoids usage of fail2ban.

Although I consider this as 3rd party issue, I still think we need to provide something to help people using firewalld together with fail2ban:

  • either some enhancements of firewalld actions, dropping or killing connection of banned IP (using something like tcpkill, killcx, ss etc);
  • or even another enhancement that would somehow integrate fail2ban chains before such white-listening rules for established connections;
  • or at least a new wiki article for proper firewalld configuration (and a link to it in any actions and jail.conf);

@fail2ban/contributors, @fail2ban/maintainers more ideas or even PRs are welcome.

@sebres sebres mentioned this issue Feb 27, 2021
Closed
2 tasks
@alex-eri
Copy link
Author

Issue is solved to me by changing table to raw.

But there is security table. Maybe is it must be set as default set in firewalld jails?

@sebres
Copy link
Contributor

sebres commented Feb 28, 2021

But there is security table. Maybe is it must be set as default set in firewalld jails?

firewalld actions may be?
Anyway I don't really know an ultimate recipe... Is not this (as well as PREROUTING rules) something distribution related? I mean does firewalld have always the same configuration across all distributions and versions? I don't think so.

@alex-eri
Copy link
Author

alex-eri commented Mar 2, 2021

There is no configurations for first rule in text files and configs. I think it hardcoded default. i will check on next time installations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rd party issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex-eri @sebres