New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BR]: firewallcmd-ipset.conf multiport invalid port/service `1-65535' specified #3047
Comments
Hmm... #2821 reported about vice versa situation (and therefore it was fixed in a038fd5), but not even a year later it must be reverted... Still worse if this depends now on firewalld backend (e. g. But how fail2ban action must distinguish what exactly is expected (to be backwards and "forwards" compatible)? I'm slowly tired to ask - why one uses this weird wrapper "firewalls" instead of native net-filters like iptables/ipset or nftables? |
Oh, that is very messy situation. |
No, it isn't. You should check |
Imho it's a matter of taste how people like to interact with their firewalls. It's probably harder to break but easier to read this way. There is a clear statement in man firewall-cmd: We could check the backend like: I just tested it with xtables-nft-multi and xtables-legacy-multi, both works with |
Agree. And I'll repeat my statement: |
Many thanks! |
fail2ban v0.11.2
firewalld v0.8.2
CentOS 8.3.2011
Here is the error log:
Looks like this version of firewall-cmd does accepts dports delimiter "-" in "1-65535" and it should be left "1:65535".
Solution is to replace multiport in firewallcmd-ipset.conf:
multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
to
multiport = -p <protocol> -m multiport --dports "<port>"
The text was updated successfully, but these errors were encountered: