From 0041bc3770a32c736f29413c28683461307491ab Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Sun, 26 Jul 2015 23:10:08 -0400 Subject: DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description --- config/action.d/shorewall-ipset-proto6.conf | 31 +++++++++++++++-------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'config/action.d') diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf index 7fbc21bb..1ebcfb01 100644 --- a/config/action.d/shorewall-ipset-proto6.conf +++ b/config/action.d/shorewall-ipset-proto6.conf @@ -5,33 +5,35 @@ # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). # for shorewall # -# Use this setting in jail.conf to modify the name and the max time in every jain -# action = shorewall-ipset-proto6[name=SSH, bantime=10000] +# Use this setting in jail.conf to modify use this action instead of a +# default one +# +# banaction = shorewall-ipset-proto6 # # This requires the program ipset which is normally in package called ipset. # -# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 +# kernels, and you need Shorewall >= 4.5.5 to use this action. # # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a # new shorewall rule to ban an IP address, that rule will affect only new -# connections. So if the attempter goes on trying using the same connection +# connections. So if the attacker goes on trying using the same connection # he could even log in. In order to get the same behavior of the iptable # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf # file should me modified with "BLACKLISTNEWONLY=No". # -# The use in IPset in shorewall depends of the version you must have at least 4.5.5< version -# of shorewall # -# Enable shorewall to use a blacklist using iptables creating a file /etc/shorewall/blrules -# and adding "DROP net:+f2b-ssh all" one for every jail details in shorewall documentation blacklist. -# To enable restore you ipset You must set SAVE_IPSETS=Yes in shorewall.conf -# Is importan to read this documentation from shorewall http://shorewall.net/ipsets.html +# Enable shorewall to use a blacklist using iptables creating a file +# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and +# similar lines for every jail. To enable restoring you ipset you +# must set SAVE_IPSETS=Yes in shorewall.conf . You can read more +# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html # -# To force create the ipset in the case that somebody delete the ipset create a file -# /etc/shorewall/initdone and add one line for every ipset (this files are in Perl) -# take care of add 1; at the end of the file -# the example is: +# To force creation of the ipset in the case that somebody deletes the +# ipset create a file /etc/shorewall/initdone and add one line for +# every ipset (this files are in Perl) and add 1 at the end of the file. +# The example: # system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 "); # 1; # @@ -40,7 +42,6 @@ # system("/usr/sbin/ipset -quiet destroy f2b-ssh "); # 1; # This must go to the end of the file if not shorewall compilation fails # -# [Definition] -- cgit v1.2.1