Score:0

Fail2ban with Firewalld on RHEL 8 - Fail2ban seemingly blocks IPs, but they are not really blocked

in flag

I'm running fail2ban on RHEL 8 using firewalld. According to the fail2ban log (with DEBUG level) it blocks IP addresses without any error, but in fact there are no such rules in firewalld and nftables.

In the jail.local config file I have set banaction as firewallcmd-ipset and banaction_allports as firewallcmd-ipset[actiontype="<allports>"].

I do not see any error message in the fail2ban nor the firewalld log files. And in addition an e-mail is properly sent to me when blocking an IP.

In the firewallcmd-common.conf config file I have changed the zone option to the name of my custom zone in firewalld.

Has anyone an idea what the problem might be or into which other log files I could look to find the error?

Score:0
il flag

but in fact there are no such rules in firewalld and nftables.

what does "such rules" meant exactly?

  1. action firewallcmd-ipset will add a the rule as well as create ipset if it start the action (this happens on-demand by first ban since fail2ban version 0.10).

  2. and then firewallcmd-ipset will add an entry in this ipset for every IP that gets banned.

If you don't see the rule in firewalld listing, then it can be:

  • removed or flushed by something (e. g. some service recreates the firewalld rules from scratch)
  • some error occurs by action start (see fail2ban.log around first ban of this jail after start of fail2ban), for instance if some customizations are incompatible

To see which commands fail2ban action executes in your case (e. g. you could try them in shell also) you can dump your fail2ban configuration:

fail2ban-client -d | grep "$jail"
# pretty dump in new version (>= 0.10):
fail2ban-client --dp
user766753 avatar
in flag
Thank you sebres, for your answer. It helped me on the search for the error and to understand what commands fail2ban executes. In the end it started to work without any changes in the configuration. In between there was an update of several components (also firewalld and fai2ban). Maybe there was an issue that was solved that way.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.