I don't use frewalld, but can someone please post the command to show the relevant firewalld rule? The OP has established the ipset set is being written to so the next piece in the chain is to establish if the firewalld rule is there. If it is not then he can go searching the logs and do more troubleshooting.
Nick On 2016-10-04 04:15, Orion Poplawski wrote: > On 10/02/2016 06:46 PM, Alex wrote: >> Hi, >> I'm using fail2ban-0.9.3 on fedora22 and have configured it with >> firewalld and ipset. I'm more familiar with iptables, not this new >> firewalld layout, so I'm really not sure how to tell if it's working >> properly. >> >> I have a postfix-sasl jail configured as such: >> >> [postfix-sasl] >> #port = smtp,465,submission >> port = smtp,587,submission >> logpath = %(postfix_log)s >> enabled = true >> logencoding=utf-8 >> >> /var/log/fail2ban.log shows these entries: >> >> fail2ban.filter [19398]: INFO [postfix-sasl] Found >> 12.234.0.173 >> fail2ban.actions [19398]: NOTICE [postfix-sasl] Ban >> 12.234.0.173 >> >> ipset list shows me: >> >> Name: fail2ban-postfix-sasl >> Type: hash:ip >> Revision: 4 >> Header: family inet hashsize 1024 maxelem 65536 timeout 5200 >> Size in memory: 1856 >> References: 1 >> Members: >> 12.234.0.173 timeout 4068 >> 179.189.205.12 timeout 152 >> 184.2.47.206 timeout 390 >> 113.69.178.121 timeout 1522 >> >> Does this say that 12.234.0.173 is indeed currently blocked on port >> 589 for the next 4068 seconds? >> >> firewalld is running, but I don't know how to produce a list of all >> IPs that are currently being blocked. "iptables -nL", as I usually >> would run, shows there are no entries for any of the chains that are >> listed (except for 192.168.122.0/24 as part of virbr0). Does that mean >> the rules aren't being added properly by fail2ban? > > I suspect something isn't setting up the ipset rule properly in the > first place. Check /var/log/fail2ban.log around the time of fail2ban > startup. > > Also, are you sure you're using a firewalld action? What does > 'fail2ban-client get postfix-sasl action' show? > > Finally, Fedora 22 is EOL and you really should upgrade. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
