From 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 Mon Sep 17 00:00:00 2001 From: Lukasz Kasprzak Date: Fri, 20 Mar 2026 19:16:32 +0100 Subject: feat: first fully successful run e2e on straper --- .../action.d/firewallcmd-rich-rules.conf | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf') diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf new file mode 100644 index 0000000..75a27d8 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf @@ -0,0 +1,44 @@ +# Fail2Ban configuration file +# +# Author: Donald Yandt +# +# Because of the rich rule commands requires firewalld-0.3.1+ +# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not +# by chain. So for an example all deny rules will be listed under _deny. +# +# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy +# +# Example commands to view rules: +# firewall-cmd [--zone=] --list-rich-rules +# firewall-cmd [--zone=] --list-all +# firewall-cmd [--zone=zone] --query-rich-rule='rule' + +[INCLUDES] + +before = firewallcmd-common.conf + +[Definition] + +actionstart = + +actionstop = + +actioncheck = + +#you can also use zones and/or service names. +# +# zone example: +# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' port port='' protocol='' " +# +# service name example: +# firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' service name='' " +# +# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp + +fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s + +actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done + +actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done + +rich-suffix = \ No newline at end of file -- cgit v1.3