On 2016-10-05 15:30, Alex wrote: > Hi, > > On Wed, Oct 5, 2016 at 3:11 AM, Nick Howitt <[email protected]> wrote: >> Your key is this line: >> >> ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission >> -m set >> --match-set fail2ban-postfix src -j REJECT --reject-with >> icmp-port-unreachable >> >> It looks very similar to iptables. This rule more or less says block >> tcp:25,587,465 for any source IP's which exist in the ipset set >> fail2ban-postfix. It is that set which contains the individual IP's >> which >> are being blocked. This means you need to use ipset commands to see >> what is >> being blocked. >> >> Ipset is massively more efficient than individual rules when blocking >> a load >> of IP's. There is probably not much difference in speed when blocking >> the >> odd IP or two. With iptables it takes much more time to load >> individual >> rules than it does to load ipset sets. There is obviously a trade-off >> between speed and readability. Individual rules are slower but more >> readable. Rules using ipset are faster but less readable. > > Does that mean that ipset rules can't be displayed with iptables? > Here's the ipset output for the postfix-sasl rule: > > Name: fail2ban-postfix-sasl > Type: hash:ip > Revision: 4 > Header: family inet hashsize 1024 maxelem 65536 timeout 5200 > Size in memory: 2240 > References: 1 > Members: > 91.197.232.70 timeout 2327 > 47.48.237.194 timeout 957 > 95.80.77.100 timeout 4705 > 12.234.0.173 timeout 2146 > 173.164.133.254 timeout 3374 > > I had included this with the initial post, but perhaps it got lost in > the thread. Is this enough of a confirmation that the rules are > actually being added? > > It seemed like despite entries such as these, there were still > multiple entries following it in the fail2ban.log. > > Thanks, > Alex If you use ipset, it is a two stage process to get a proper confirmation of the rules being added. You need to check the firewall listing (iptables or firewalld) has a rule in place matching the ipset set and you need to check the ipset set contains the relevant IP. This means that just listing the ipset set as you have above is not enough.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
