From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001 From: usernamepi <53445688+usernamepi@users.noreply.github.com> Date: Thu, 6 May 2021 13:44:36 +0200 Subject: [PATCH] Update ufw.conf Prerequisites: * The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY. * Ufw version is => 0.36 (released in 2018) * Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses. * Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532 * Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open. Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option. My system apparently is compiled that way. --- config/action.d/ufw.conf | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index d2f731f2e6..b47fa7e772 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -13,17 +13,26 @@ actionstop = actioncheck = -actionban = [ -n "" ] && app="app " - ufw insert from to $app - -actionunban = [ -n "" ] && app="app " - ufw delete from to $app +# ufw does "quickly process packets for which we already have a connection" in before.rules, +# therefore all related sockets should be closed +# actionban is using `ss` to do so, this only handles IPv4 and IPv6. + +actionban = if [ -n "" ] && ufw app info "" + then + ufw prepend from to app "" comment "" + else + ufw prepend from to comment "" + fi + ss -K dst [] + +actionunban = if [ -n "" ] && ufw app info "" + then + ufw delete from to app "" + else + ufw delete from to + fi [Init] -# Option: insertpos -# Notes.: The position number in the firewall list to insert the block rule -insertpos = 1 - # Option: blocktype # Notes.: reject or deny blocktype = reject