Bug 1222320

Summary: upgrade to F22 switches fail2ban to using firewalld, which doesn't work on my system, silently compromising its security
Product: [Fedora] Fedora Reporter: Jonathan Kamens <h1k6zn2m>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: athmanem, Axel.Thimm, jonathan.underwood, orion, vonsch
Target Milestone: ---Keywords: Regression, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 14:08:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Kamens 2015-05-17 15:37:16 UTC 
In F22, fail2ban now incorrectly depends on fail2ban-firewalld.

This mans that when I upgraded to F22, it silently installed fail2ban-firewalld, which silently installed /etc/fail2ban/jail.d/00-firewalld.conf, which silently caused fail2ban to start trying to use firewalld-ipset to ban attackers, which was silently failing because I'm not using firewalld on my system.

This is not acceptable.

It's perfectly reasonable to make fail2ban-firewalld an optional package which reconfigured fail2ban to use firewalld. It is _not_ reasonable to install this package by default, and to make fail2ban dependent on it, such that it's impossible to uninstall it without causing fail2ban to also be uninstalled.

Doing this silently compromises the security of systems that are upgraded to F22 that don't use firewalld. Not OK.
Comment 1 Orion Poplawski 2015-05-17 15:47:39 UTC 
fail2ban-firewalld *is* an optional package.  The main fail2ban package is just a meta-package to bring in the default components, you are free to remove it.
Comment 2 Jonathan Kamens 2015-05-17 15:59:21 UTC 
How is anyone who wants to use fail2ban going to know that "dnf install fail2ban" is actually going to break their system? The "default components" shouldn't include a component that breaks people's security.

Perhaps one could make this smarter by making the configuration done by fail2ban-firewalld dynamic, such that it only activates itself if firewalld is installed and enabled.

We can go back and forth all day about the _how_, but the _what_ I'm complaining about is that fail2ban was protecting my system before, and then I upgraded to F22, and suddenly it wasn't, and that's not OK.
Comment 3 Orion Poplawski 2015-05-17 20:48:37 UTC 
The problem is we also want to try to protect F22 default installs out of the box as well.  There firewalld is the default.
Comment 4 Orion Poplawski 2015-05-17 20:49:35 UTC 
BTW - I agree this is a problem - I just don't know the best way to solve it at the moment.
Comment 5 Fedora End Of Life 2016-07-19 14:08:24 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.