diff options
author | Yaroslav Halchenko <debian@onerussian.com> | 2015-07-26 23:10:08 -0400 |
---|---|---|
committer | Yaroslav Halchenko <debian@onerussian.com> | 2015-07-26 23:10:08 -0400 |
commit | 0041bc3770a32c736f29413c28683461307491ab (patch) | |
tree | 1f9f56db59b81d9aa5d7faf07ce76355d31ff6fd /config/action.d/shorewall-ipset-proto6.conf | |
parent | de2f9504c050297eccd06bd2d4098610802cd679 (diff) | |
download | fail2ban-0041bc3770a32c736f29413c28683461307491ab.tar.gz |
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
Diffstat (limited to 'config/action.d/shorewall-ipset-proto6.conf')
-rw-r--r-- | config/action.d/shorewall-ipset-proto6.conf | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf index 7fbc21bb..1ebcfb01 100644 --- a/config/action.d/shorewall-ipset-proto6.conf +++ b/config/action.d/shorewall-ipset-proto6.conf @@ -5,33 +5,35 @@ # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). # for shorewall # -# Use this setting in jail.conf to modify the name and the max time in every jain -# action = shorewall-ipset-proto6[name=SSH, bantime=10000] +# Use this setting in jail.conf to modify use this action instead of a +# default one +# +# banaction = shorewall-ipset-proto6 # # This requires the program ipset which is normally in package called ipset. # -# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 +# kernels, and you need Shorewall >= 4.5.5 to use this action. # # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a # new shorewall rule to ban an IP address, that rule will affect only new -# connections. So if the attempter goes on trying using the same connection +# connections. So if the attacker goes on trying using the same connection # he could even log in. In order to get the same behavior of the iptable # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf # file should me modified with "BLACKLISTNEWONLY=No". # -# The use in IPset in shorewall depends of the version you must have at least 4.5.5< version -# of shorewall # -# Enable shorewall to use a blacklist using iptables creating a file /etc/shorewall/blrules -# and adding "DROP net:+f2b-ssh all" one for every jail details in shorewall documentation blacklist. -# To enable restore you ipset You must set SAVE_IPSETS=Yes in shorewall.conf -# Is importan to read this documentation from shorewall http://shorewall.net/ipsets.html +# Enable shorewall to use a blacklist using iptables creating a file +# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and +# similar lines for every jail. To enable restoring you ipset you +# must set SAVE_IPSETS=Yes in shorewall.conf . You can read more +# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html # -# To force create the ipset in the case that somebody delete the ipset create a file -# /etc/shorewall/initdone and add one line for every ipset (this files are in Perl) -# take care of add 1; at the end of the file -# the example is: +# To force creation of the ipset in the case that somebody deletes the +# ipset create a file /etc/shorewall/initdone and add one line for +# every ipset (this files are in Perl) and add 1 at the end of the file. +# The example: # system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 "); # 1; # @@ -40,7 +42,6 @@ # system("/usr/sbin/ipset -quiet destroy f2b-ssh "); # 1; # This must go to the end of the file if not shorewall compilation fails # -# [Definition] |