Why FirewallD is not blocking IPs with 'reject' rules?

acs-f asked:

My setup is the follow:

fail2ban with some jails (working fine) using FirewallD to block the caught IPs.

Here is my default Firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept

So the ports 80 and 443/tcp are open.

Then, i trigger some fail2ban rules (using an online proxy) and i get this in firewall:

myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: rcsa dhcpv6-client http https
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="79.48.51.171" port port="3306" protocol="tcp" accept
        rule family="ipv4" source address="155.121.53.253" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="79.48.51.171" port port="22" protocol="tcp" accept
        rule family="ipv4" source address="37.58.58.206" port port="http" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="37.58.58.206" port port="https" protocol="tcp" reject type="icmp-port-unreachable"

So, 2 new rules are added. Fine. Still, that IP is not rejected at all and continues to flood my server despite of those rules in FirewallD.

Is there something wrong with this? I’m switching from UFW to FirewallD.

My answer:


Debian/Ubuntu don’t have a default banaction for firewalld because that’s not the default firewall for those distributions.

You should set banaction = firewallcmd-ipset, to make an ipset that fail2ban will insert banned addresses into, and which will then be called from the firewall. Red Hat systems already include this configuration bit, because they use firewalld by default. So you can simply create the same file that they include, at /etc/fail2ban/jail.d/00-firewalld.conf

[DEFAULT]
banaction = firewallcmd-ipset

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.