Hi, On Wed, Oct 5, 2016 at 3:11 AM, Nick Howitt <[email protected]> wrote: > Your key is this line: > > ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission -m set > --match-set fail2ban-postfix src -j REJECT --reject-with > icmp-port-unreachable > > It looks very similar to iptables. This rule more or less says block > tcp:25,587,465 for any source IP's which exist in the ipset set > fail2ban-postfix. It is that set which contains the individual IP's which > are being blocked. This means you need to use ipset commands to see what is > being blocked. > > Ipset is massively more efficient than individual rules when blocking a load > of IP's. There is probably not much difference in speed when blocking the > odd IP or two. With iptables it takes much more time to load individual > rules than it does to load ipset sets. There is obviously a trade-off > between speed and readability. Individual rules are slower but more > readable. Rules using ipset are faster but less readable.
Does that mean that ipset rules can't be displayed with iptables? Here's the ipset output for the postfix-sasl rule: Name: fail2ban-postfix-sasl Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 5200 Size in memory: 2240 References: 1 Members: 91.197.232.70 timeout 2327 47.48.237.194 timeout 957 95.80.77.100 timeout 4705 12.234.0.173 timeout 2146 173.164.133.254 timeout 3374 I had included this with the initial post, but perhaps it got lost in the thread. Is this enough of a confirmation that the rules are actually being added? It seemed like despite entries such as these, there were still multiple entries following it in the fail2ban.log. Thanks, Alex ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
