1222320 – upgrade to F22 switches fail2ban to using firewalld, which doesn't work on my system, silently compromising its security

Bug 1222320 - upgrade to F22 switches fail2ban to using firewalld, which doesn't work on my system, silently compromising its security

Summary: upgrade to F22 switches fail2ban to using firewalld, which doesn't work on my...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fail2ban
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-17 15:37 UTC by Jonathan Kamens
Modified:	2016-07-19 14:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-07-19 14:08:24 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jonathan Kamens 2015-05-17 15:37:16 UTC

In F22, fail2ban now incorrectly depends on fail2ban-firewalld.

This mans that when I upgraded to F22, it silently installed fail2ban-firewalld, which silently installed /etc/fail2ban/jail.d/00-firewalld.conf, which silently caused fail2ban to start trying to use firewalld-ipset to ban attackers, which was silently failing because I'm not using firewalld on my system.

This is not acceptable.

It's perfectly reasonable to make fail2ban-firewalld an optional package which reconfigured fail2ban to use firewalld. It is _not_ reasonable to install this package by default, and to make fail2ban dependent on it, such that it's impossible to uninstall it without causing fail2ban to also be uninstalled.

Doing this silently compromises the security of systems that are upgraded to F22 that don't use firewalld. Not OK.

Comment 1 Orion Poplawski 2015-05-17 15:47:39 UTC

fail2ban-firewalld *is* an optional package.  The main fail2ban package is just a meta-package to bring in the default components, you are free to remove it.

Comment 2 Jonathan Kamens 2015-05-17 15:59:21 UTC

How is anyone who wants to use fail2ban going to know that "dnf install fail2ban" is actually going to break their system? The "default components" shouldn't include a component that breaks people's security.

Perhaps one could make this smarter by making the configuration done by fail2ban-firewalld dynamic, such that it only activates itself if firewalld is installed and enabled.

We can go back and forth all day about the _how_, but the _what_ I'm complaining about is that fail2ban was protecting my system before, and then I upgraded to F22, and suddenly it wasn't, and that's not OK.

Comment 3 Orion Poplawski 2015-05-17 20:48:37 UTC

The problem is we also want to try to protect F22 default installs out of the box as well.  There firewalld is the default.

Comment 4 Orion Poplawski 2015-05-17 20:49:35 UTC

BTW - I agree this is a problem - I just don't know the best way to solve it at the moment.

Comment 5 Fedora End Of Life 2016-07-19 14:08:24 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.