Skip to content
Snippets Groups Projects

fail2ban: Use a managed firewalld ipset

Merged fail2ban: Use a managed firewalld ipset
klausenbusk/infrastructure:fail2ban-firewalld-ipset into master
Merged Kristian Klausen requested to merge klausenbusk/infrastructure:fail2ban-firewalld-ipset into master
  1. Feb 18, 2024
    • Kristian Klausen's avatar
      fail2ban: Use a managed firewalld ipset · 95e19506
      Kristian Klausen authored 
      The firewalld direct interface is deprecated and will be removed in a
future release[1]. Recently IPv4 connectivity inside docker containers
on our runners broke and after some troubleshooting, the issue was
pinpointed to the start of the fail2ban service. We also had issues in
the past where sometimes firewalld had to be restarted after boot before
network connectivity worked in libvirt on our runners.

The issuse may be due to a bug in the way fail2ban use the direct
interface, a bug in firewalld or a combination thereof. Let's just avoid
the direct interface altogether and create a clean separation, with
firewalld handling the blocking and fail2ban maintaining the ipset.

[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html
      Verified
      95e19506