Description of problem: I tried to create a new jail without a `port` definition expecting it to work with similar to the ipset integration where the all of the ports were blocked [sshd-repeat] enabled = true filter = sshd maxretry = 25 findtime = 86400 bantime = 604800 This use to work fine but with the firewalld integration it fails with the following error: 2020-06-23 10:36:07,511 fail2ban.utils [587974]: ERROR 7f70987efe00 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<banned ip>' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done 2020-06-23 10:36:07,511 fail2ban.utils [587974]: ERROR 7f70987efe00 -- stderr: 'Error: INVALID_PORT: 0:65535' This appears to be because the default port definition in jail.conf is 0:65535 I was able to workaround this by defining port = 0-65535 but shouldn't the default value work properly with firewalld?
I've been considering changing that, but then it breaks if someone changes back from nftables to iptables, but probably best to go ahead and do it.
Upstream has committed an "on-the-fly" fix within the nftables configuration. Now I just need to figure out why one of the tests is failing.
FEDORA-2020-68166b23ca has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-68166b23ca
FEDORA-2020-3e043605f0 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-3e043605f0
FEDORA-EPEL-2020-3d92c1f42c has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3d92c1f42c
FEDORA-2020-68166b23ca has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-68166b23ca` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-68166b23ca See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-3d92c1f42c has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3d92c1f42c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-3e043605f0 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-3e043605f0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-3e043605f0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-68166b23ca has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-3e043605f0 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2020-3d92c1f42c has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
This also appears to be a problem with fail2ban-0.11.1-9.el7.2 on CentOS+EPEL 7 with firewalld+iptables... I get "ERROR: INVALID_PORT: 0:65535" in the default config with fail2ban-{server,systemd,firewalld}.
it appear again after recent update of fail2ban-1.0.1-1.el9, in EPEL9 Err in log file /var/log/fail2ban.log: 2022-10-14 15:00:35,948 fail2ban.actions [634349]: NOTICE [recidive] Restore Ban *.*.*.* 2022-10-14 15:00:36,142 fail2ban.utils [634349]: ERROR 7fbce155e7a0 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='*.*.*.*' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done 2022-10-14 15:00:36,142 fail2ban.utils [634349]: ERROR 7fbce155e7a0 -- stderr: 'Error: INVALID_PORT: 0:65535' 2022-10-14 15:00:36,142 fail2ban.utils [634349]: ERROR 7fbce155e7a0 -- returned 102
Upstream reverted the "fix" because lots of people still use iptables and not nftables. The quick fix would probably be to override in a jail.local "ports=0-65535" or change jail.conf. I need to think about how to fix this in the packaging. While the default is nftables on all current releases of Fedora (and EPEL I think) I don't want to prevent someone from using iptables if they want to.
(In reply to Richard Shaw from comment #14) > While the default is nftables on all current releases of > Fedora (and EPEL I think) Just to note (in case it affects how this gets addressed): EPEL 7 uses iptables, EPEL 8 and 9 use nftables.
Yeah, I was noodling on how to deal with that since it doesn't support "Recommends:" I may just have to force the iptables sub-package on it since they're unlikely to switch to nftables. %if 0%{?RHEL} < 8 Requires: fail2ban-iptables %else Recommends: fail2ban-nftables %endif Does EL 8 support recommends?
The easiest fix is to change tr ", " " " to tr ":, " "- " What this does is translate the colon in the port range to a minus and the comma separator into a space. The original only did the latter.
(In reply to Sjoerd Mullender from comment #17) > The easiest fix is to change > tr ", " " " > to > tr ":, " "- " > > What this does is translate the colon in the port range to a minus and the > comma separator into a space. > The original only did the latter. I may need a little more context as to what you're referring to. I don't use tr in the spec file anywhere. Is it somewhere in fail2bans build system?
The original bug report and comment 13 both show the tr command in question. In Fedora 36 I see it in the file /etc/fail2ban/action.d/firewallcmd-rich-rules.conf.
I've just been looking at this as well, and I agree that the fix that's recommended upstream is to add "ports=0-65535" in the [DEFAULT] block, but rather than putting in jail.local, why not have it added into jail.d/00-firewalld.conf for appropriate releases, i.e. all current Fedora and whatever EPEL uses nftables? Just BTW, the incorrect port definition error only comes from the use of the default value, I'm pretty sure in all other case of multiple ports, it does not give a range, but only individual ports separated by commas.
Looks like the upstream is already applied a patch on 1.0.2. Maybe a simple version bump will help? https://github.com/fail2ban/fail2ban/commit/a038fd5dfe8cb0714472833604735b83462a217d
FEDORA-2022-bf03238d02 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf03238d02
FEDORA-2022-2551057544 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-2551057544
Sorry for the last comment. It was incorrect. That commit was reverted (https://github.com/fail2ban/fail2ban/commit/4b54a07d71a6ce1c85a3eae92bace6c0dadcdcfb) because firewalld use different syntax depending on iptables/nftables backend.
FEDORA-2022-bf03238d02 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bf03238d02` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf03238d02 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-2551057544 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-2551057544` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-2551057544 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-2551057544 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-bf03238d02 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Sjoerd Mullender from comment #17) > The easiest fix is to change > tr ", " " " > to > tr ":, " "- " > > What this does is translate the colon in the port range to a minus and the > comma separator into a space. > The original only did the latter. A few weeks ago I did a fresh install of F37 and this is what got me going. I understand from various posts, depending on how the net filter is implemented will change the outcome. If installed from default it should work, so this is how it should ship? It is potentially a security issue as you could be under the misunderstanding that fail2ban is working when its not...
Currently there's a bigger problem that I can't build fail2ban in rawhide but the python module asynchat was removed from Python 3.12 and it needs to be ported to asyncio.
(In reply to Sjoerd Mullender from comment #17) > The easiest fix is to change > tr ", " " " > to > tr ":, " "- " > > What this does is translate the colon in the port range to a minus and the > comma separator into a space. > The original only did the latter. Took me a minute to find it, but I assume I need to change both instances here: config/action.d/firewallcmd-rich-rules.conf:actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done config/action.d/firewallcmd-rich-rules.conf:actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
I can now get fail2ban to build at least for f38 and lower. Here's some scratch builds for testing: F38: https://koji.fedoraproject.org/koji/taskinfo?taskID=104156139 F37: https://koji.fedoraproject.org/koji/taskinfo?taskID=104156086
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
FEDORA-2024-43151e7f6f (fail2ban-1.0.2-13.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-43151e7f6f
FEDORA-2024-43151e7f6f (fail2ban-1.0.2-13.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.