[pve-devel] [RFC firewall] implement fail2ban in firewall

[Thomas Lamprecht]

On 25/08/2021 11:34, Oguz Bektas wrote:
> On Tue, Aug 24, 2021 at 08:58:10PM +0200, Thomas Lamprecht wrote:
>> E.g., did you think about checking the log just directly here, after all we run
>> every 10s anyway, so one could just directly parse the daemon log and add the
>> rules directly here, no extra daemon and external instance, which adapts filter
>> rules, required (the latter is racy anyway). Not necessarily a must, but the
>> simple regex on a single file would be easy, hardest thing would be to handle
>> rotations and make reading not completely inefficient; but neither to complicated
>> either.
> 
> in the v2 it works better after implementing your suggestions (i'll send
> it today), now we check if the jail file has changed and only write it then.
> 

that has zero to do with thinking and evaluating about just doing it ourself here
though? As there's still an additional dependency with an extra daemon running that
may not even interact correctly with how we operate the iptables...

>>
>> any how, does fail2ban always flushes all their rules, as else our rewrite of
>> the filter and raw tables on each update would make it somewhat moot?
> 
> i'm not exactly sure, but in my tests the banned IP addresses stayed
> even after changing configuration and reloading the services. you can
> check with `fail2ban-client banned`.

I did not asked about the banned IP address view from the fail2ban daemon but
rather if the actual *iptables* rules persist, would be good to get sure about
such stuff if wanting to integrate such a feature..