From 77753e266f3f453785709d98ffde4ee881a98830 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sun, 1 Aug 2021 17:03:00 +0200
Subject: [PATCH] Update banning docs for wireguard

---
 docs/banning.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/docs/banning.md b/docs/banning.md
index eaebfd7fe..1a2c47ea2 100644
--- a/docs/banning.md
+++ b/docs/banning.md
@@ -1,11 +1,19 @@
 # Banning IP Addresses for abuse
 
+For banning with an expiry `fail2ban` can be used, the expiry time depends on the configured fail2ban jail:
+
+```
+fail2ban-client set sshd banip 1.1.1.1
+```
+
+To permanently ban an IP address `firewall-cmd` can be used as shown below:
+
 ```
-firewall-cmd --add-rich-rule="rule family='ipv4' source address='1.1.1.1' reject"
+firewall-cmd --add-rich-rule="rule family='ipv4' source address='1.1.1.1' reject" --zone=public
 ```
 
 ```
-firewall-cmd --add-rich-rule="rule family='ipv6' source address='1:2:3:4:6::' reject"
+firewall-cmd --add-rich-rule="rule family='ipv6' source address='1:2:3:4:6::' reject" --zone=public
 ```
 
 Note that on Gitlab, you must block the ip address for the docker zone:
@@ -23,5 +31,5 @@ firewall-cmd --list-all
 To remove a banned IP Address:
 
 ```
-firewall-cmd --remove-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" reject'
+firewall-cmd --remove-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" reject' --zone=public
 ```
-- 
GitLab