Your key is this line: ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission -m set --match-set fail2ban-postfix src -j REJECT --reject-with icmp-port-unreachable
It looks very similar to iptables. This rule more or less says block tcp:25,587,465 for any source IP's which exist in the ipset set fail2ban-postfix. It is that set which contains the individual IP's which are being blocked. This means you need to use ipset commands to see what is being blocked. Ipset is massively more efficient than individual rules when blocking a load of IP's. There is probably not much difference in speed when blocking the odd IP or two. With iptables it takes much more time to load individual rules than it does to load ipset sets. There is obviously a trade-off between speed and readability. Individual rules are slower but more readable. Rules using ipset are faster but less readable. Nick On 2016-10-05 00:31, Alex wrote: > Hi, > > On Tue, Oct 4, 2016 at 10:55 AM, Orion Poplawski <[email protected]> > wrote: >> On 10/04/2016 07:53 AM, Alex wrote: >>> Hi, >>> >>> On Mon, Oct 3, 2016 at 11:15 PM, Orion Poplawski >>> <[email protected]> wrote: >>>> On 10/02/2016 06:46 PM, Alex wrote: >>>>> >>>>> Hi, >>>>> I'm using fail2ban-0.9.3 on fedora22 and have configured it with >>>>> firewalld and ipset. I'm more familiar with iptables, not this new >>>>> firewalld layout, so I'm really not sure how to tell if it's >>>>> working >>>>> properly. >>>>> >>>>> I have a postfix-sasl jail configured as such: >>>>> >>>>> [postfix-sasl] >>>>> #port = smtp,465,submission >>>>> port = smtp,587,submission >>>>> logpath = %(postfix_log)s >>>>> enabled = true >>>>> logencoding=utf-8 >>>>> >>>>> /var/log/fail2ban.log shows these entries: >>>>> >>>>> fail2ban.filter [19398]: INFO [postfix-sasl] Found >>>>> 12.234.0.173 >>>>> fail2ban.actions [19398]: NOTICE [postfix-sasl] Ban >>>>> 12.234.0.173 >>>>> >>>>> ipset list shows me: >>>>> >>>>> Name: fail2ban-postfix-sasl >>>>> Type: hash:ip >>>>> Revision: 4 >>>>> Header: family inet hashsize 1024 maxelem 65536 timeout 5200 >>>>> Size in memory: 1856 >>>>> References: 1 >>>>> Members: >>>>> 12.234.0.173 timeout 4068 >>>>> 179.189.205.12 timeout 152 >>>>> 184.2.47.206 timeout 390 >>>>> 113.69.178.121 timeout 1522 >>>>> >>>>> Does this say that 12.234.0.173 is indeed currently blocked on port >>>>> 589 for the next 4068 seconds? >>>>> >>>>> firewalld is running, but I don't know how to produce a list of all >>>>> IPs that are currently being blocked. "iptables -nL", as I usually >>>>> would run, shows there are no entries for any of the chains that >>>>> are >>>>> listed (except for 192.168.122.0/24 as part of virbr0). Does that >>>>> mean >>>>> the rules aren't being added properly by fail2ban? >>>> >>>> >>>> I suspect something isn't setting up the ipset rule properly in the >>>> first >>>> place. Check /var/log/fail2ban.log around the time of fail2ban >>>> startup. >>> >>> There isn't anything relating to firewalld or ipset, but I suspect >>> this is the problem. >>> >>> Is ipset what actually adds the netfilter rules, instead of iptables >>> these days? >>> >>>> Also, are you sure you're using a firewalld action? What does >>>> 'fail2ban-client get postfix-sasl action' show? >>> >>> Is it even possible to operate fail2ban without firewalld anymore? It >>> was my understanding that it requires firewalld. If not, I'd like to >>> configure it without, because I don't like the abstraction and lack >>> of >>> ability to configure source access easily. >>> >>> # fail2ban-client get postfix-sasl action >>> WARNING 'pidfile' not defined in 'Definition'. Using default one: >>> '/var/run/fail2ban/fail2ban.pid' >>> ERROR NOK: ('list index out of range',) >>> Sorry but the command is invalid >> >> oops, I guess it's 'fail2ban-client get postfix-sasl actions' > > # fail2ban-client get postfix actions > WARNING 'pidfile' not defined in 'Definition'. Using default one: > '/var/run/fail2ban/fail2ban.pid' > The jail postfix has the following actions: > firewallcmd-ipset > > I'm still unsure why it doesn't create any actual firewall entries, > despite no errors in fail2ban.log and entries showing otherwise: > > 2016-10-04 18:16:20,822 fail2ban.actions [12460]: NOTICE > [postfix-sasl] Ban 113.69.178.13 > > # fail2ban-client status postfix-sasl > WARNING 'pidfile' not defined in 'Definition'. Using default one: > '/var/run/fail2ban/fail2ban.pid' > Status for the jail: postfix-sasl > |- Filter > | |- Currently failed: 0 > | |- Total failed: 154 > | `- File list: /var/log/maillog > `- Actions > |- Currently banned: 3 > |- Total banned: 26 > `- Banned IP list: 195.24.206.78 183.158.98.195 113.69.178.13 > > # firewall-cmd --direct --get-all-rules > ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission > -m set --match-set fail2ban-postfix src -j REJECT --reject-with > icmp-port-unreachable > ipv4 filter INPUT 0 -p tcp -m multiport --dports > smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set > fail2ban-postfix-sasl src -j REJECT --reject-with > icmp-port-unreachable > ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission > -m set --match-set fail2ban-postfix-rbl src -j REJECT --reject-with > icmp-port-unreachable > ipv4 filter INPUT 0 -p tcp -m multiport --dports submission,587,smtp > -m set --match-set fail2ban-sendmail-auth src -j REJECT --reject-with > icmp-port-unreachable > > iptables also shows no entries for the IPs listed above. > > Thanks, > Alex > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
