59 lines
2.5 KiB
Diff
59 lines
2.5 KiB
Diff
From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001
|
|
From: usernamepi <53445688+usernamepi@users.noreply.github.com>
|
|
Date: Thu, 6 May 2021 13:44:36 +0200
|
|
Subject: [PATCH] Update ufw.conf
|
|
|
|
Prerequisites:
|
|
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
|
|
* Ufw version is => 0.36 (released in 2018)
|
|
|
|
* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
|
|
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
|
|
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
|
|
Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
|
|
My system apparently is compiled that way.
|
|
---
|
|
config/action.d/ufw.conf | 27 ++++++++++++++++++---------
|
|
1 file changed, 18 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
|
|
index d2f731f2e6..b47fa7e772 100644
|
|
--- a/config/action.d/ufw.conf
|
|
+++ b/config/action.d/ufw.conf
|
|
@@ -13,17 +13,26 @@ actionstop =
|
|
|
|
actioncheck =
|
|
|
|
-actionban = [ -n "<application>" ] && app="app <application>"
|
|
- ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
|
|
-
|
|
-actionunban = [ -n "<application>" ] && app="app <application>"
|
|
- ufw delete <blocktype> from <ip> to <destination> $app
|
|
+# ufw does "quickly process packets for which we already have a connection" in before.rules,
|
|
+# therefore all related sockets should be closed
|
|
+# actionban is using `ss` to do so, this only handles IPv4 and IPv6.
|
|
+
|
|
+actionban = if [ -n "<application>" ] && ufw app info "<application>"
|
|
+ then
|
|
+ ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
|
|
+ else
|
|
+ ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
|
|
+ fi
|
|
+ ss -K dst [<ip>]
|
|
+
|
|
+actionunban = if [ -n "<application>" ] && ufw app info "<application>"
|
|
+ then
|
|
+ ufw delete <blocktype> from <ip> to <destination> app "<application>"
|
|
+ else
|
|
+ ufw delete <blocktype> from <ip> to <destination>
|
|
+ fi
|
|
|
|
[Init]
|
|
-# Option: insertpos
|
|
-# Notes.: The position number in the firewall list to insert the block rule
|
|
-insertpos = 1
|
|
-
|
|
# Option: blocktype
|
|
# Notes.: reject or deny
|
|
blocktype = reject
|