Rev 192 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2Ban configuration file## Author: Donald Yandt## Because of the rich rule commands requires firewalld-0.3.1+# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not# by chain. So for an example all deny rules will be listed under <zone>_deny.## If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy## Example commands to view rules:# firewall-cmd [--zone=<zone>] --list-rich-rules# firewall-cmd [--zone=<zone>] --list-all# firewall-cmd [--zone=zone] --query-rich-rule='rule'[INCLUDES]before = firewallcmd-common.conf[Definition]actionstart =actionstop =actioncheck =#you can also use zones and/or service names.## zone example:# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <rich-blocktype>"## service name example:# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <rich-blocktype>"## Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtpfwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)sactionban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; doneactionunban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; donerich-suffix = <rich-blocktype>