fail2ban/fail2ban-0.11.2-ufw-0.36-ipv6.patch

59 lines
2.5 KiB
Diff
Raw Permalink Normal View History

From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001
From: usernamepi <53445688+usernamepi@users.noreply.github.com>
Date: Thu, 6 May 2021 13:44:36 +0200
Subject: [PATCH] Update ufw.conf
Prerequisites:
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
* Ufw version is => 0.36 (released in 2018)
* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
My system apparently is compiled that way.
---
config/action.d/ufw.conf | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
index d2f731f2e6..b47fa7e772 100644
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@@ -13,17 +13,26 @@ actionstop =
actioncheck =
-actionban = [ -n "<application>" ] && app="app <application>"
- ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
-
-actionunban = [ -n "<application>" ] && app="app <application>"
- ufw delete <blocktype> from <ip> to <destination> $app
+# ufw does "quickly process packets for which we already have a connection" in before.rules,
+# therefore all related sockets should be closed
+# actionban is using `ss` to do so, this only handles IPv4 and IPv6.
+
+actionban = if [ -n "<application>" ] && ufw app info "<application>"
+ then
+ ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
+ else
+ ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
+ fi
+ ss -K dst [<ip>]
+
+actionunban = if [ -n "<application>" ] && ufw app info "<application>"
+ then
+ ufw delete <blocktype> from <ip> to <destination> app "<application>"
+ else
+ ufw delete <blocktype> from <ip> to <destination>
+ fi
[Init]
-# Option: insertpos
-# Notes.: The position number in the firewall list to insert the block rule
-insertpos = 1
-
# Option: blocktype
# Notes.: reject or deny
blocktype = reject