ufw: add ability to restore ipset to support sshguard
IL Ka
kazakevichilya at gmail.com
Sun Feb 21 14:53:00 UTC 2021
Hello.
I use ``sshguard`` to protect ssh server.
One of its usages is based on ipset: it simply fills ipset with bad ip
addresses,
and you block connections when source is in this address,
like
``m set --match-set sshguard4 src -j DROP``
With ufw this can be added to ``rules.before``, but ufw starts before
``sshguard``, so it doesn't see this set, and simply fails leaving my
machine with an empty INPUT chain with DROP policy :)
People even write systemd units that run before ufw just to create ipset
https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html
While I can use chains instead of ipset (unlike ipset, a chain could be
created with ufw) I believe
ipset is a better solution of the huge list of IP addresses.
``netfilter-persistent`` tool loads ipset before iptables, so there is no
such problem there.
I think ``ufw`` must have the ability to create an empty ipset to be
compatible with sshguard.
All of that could be probably solved with ``nft``, but I am not sure if it
is stable enough
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20210221/235f6522/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list