Merge branch 'fail2ban-firewalld-ipset' into 'master'

fail2ban: Use a managed firewalld ipset See merge request !804

Merge branch 'fail2ban-firewalld-ipset' into 'master'
ee91fbe3 · Kristian Klausen · c370c9d0 · 95e19506 · ee91fbe3 · ee91fbe3
Verified Commit ee91fbe3 authored 1 year ago by Kristian Klausen
--- a/roles/fail2ban/files/fail2ban.xml
+++ b/roles/fail2ban/files/fail2ban.xml
+<?xml version="1.0" encoding="utf-8"?>
+<ipset type="hash:net">
+</ipset>
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -36,8 +36,8 @@

 - name: Install firewallcmd-allports.local
  template:
-    src: "firewallcmd-allports.local.j2"
-    dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
+    src: "firewallcmd-ipset-allports.conf.j2"
+    dest: "/etc/fail2ban/action.d/firewallcmd-ipset-allports.conf"
    owner: "root"
    group: "root"
    mode: '0644'
@@ -88,6 +88,17 @@
  notify:
    - Reload fail2ban jails

+- name: Install fail2ban ipset for firewalld
+  copy: src=fail2ban.xml dest=/etc/firewalld/ipsets/ owner=root group=root mode=0644
+  register: result
+
+- name: Restart firewalld
+  systemd: name=firewalld state=restarted
+  when: result.changed
+
+- name: Add fail2ban ipset to the firewalld drop zone
+  ansible.posix.firewalld: source=ipset:fail2ban zone=drop permanent=true immediate=true state=enabled
+
 - name: Start and enable service
  systemd:
    name: "fail2ban.service"

--- a/roles/fail2ban/templates/firewallcmd-allports.local.j2
+++ b/roles/fail2ban/templates/firewallcmd-allports.local.j2
-#
-# {{ansible_managed}}
-#
-
-# creates the requisite chains in firewalld when fail2ban starts instead
-# of creating them on first use (ie, when first IP is banned)
-[Definition]
-actionstart_on_demand = false
--- a/roles/fail2ban/templates/firewallcmd-ipset-allports.conf.j2
+++ b/roles/fail2ban/templates/firewallcmd-ipset-allports.conf.j2
+#
+# {{ansible_managed}}
+#
+
+[Definition]
+
+actionban = firewall-cmd --ipset=fail2ban --add-entry=<ip>
+actionunban = firewall-cmd --ipset=fail2ban --remove-entry=<ip>
--- a/roles/fail2ban/templates/jail.local.j2
+++ b/roles/fail2ban/templates/jail.local.j2
@@ -27,7 +27,7 @@ sender = fail2ban@{{ansible_fqdn}}
 #   fail2ban-client set unban <IP>
 #   fail2ban-client set unban --all
 # see `fail2ban-client help` for full list of runtime commands
-banaction = firewallcmd-allports
+banaction = firewallcmd-ipset-allports

 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses