firewalld question

Support for security such as Firewalls and securing linux
Post Reply
AliceWonder
Posts: 49
Joined: 2014/09/19 19:36:25

firewalld question

Post by AliceWonder » 2015/05/26 14:29:41

When I get a lot spam from a particular subnet, i like to just block it at the firewall so that it doesn't result in any DNS queries to blacklists etc. or other postfix checks.

Something like

Code: Select all

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT_direct 0 -s 67.19.161.0/24 -j DROP
I would prefer though to just ban it for 3 days, often it is a compromised network and gets cleaned up by system administrators.

I would like to automate the process, cronjob that looks through the maillog for the highest volume rejects by IP or subnet and just block it for 3 days.

I am not very familiar with firewalld but I was unable to find a switch that makes it a time specified temporary rule. Is there one?

CentOS 7

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: firewalld question

Post by giulix63 » 2015/05/26 15:14:33

Not sure if firewalld is able to do that. Fail2ban (in EPEL; 0.9.2 in epel-testing) does what you ask on a single IP basis.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

User avatar
TrevorH
Forum Moderator
Posts: 26137
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld question

Post by TrevorH » 2015/05/26 17:23:40

Yes, it seems to me that you're trying to reinvent fail2ban.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

AliceWonder
Posts: 49
Joined: 2014/09/19 19:36:25

Re: firewalld question

Post by AliceWonder » 2015/05/26 17:42:48

fail2ban uses iptables and I believe you are only suppose to use firewalld *or* iptables - never both.

I want to look at the mail log, detect repeated attempts by MTAs to spam my users (failing the DNS blacklists and open relay attempts) and 3 day ban the ip (or subnet - spammers frequently control a subnet and they walk up the subnet avoiding individual IP blacklists they quickly get on)

AliceWonder
Posts: 49
Joined: 2014/09/19 19:36:25

Re: firewalld question

Post by AliceWonder » 2015/05/26 18:03:07

https://fedoraproject.org/wiki/Firewall ... s_services

Yeah, looks like using fail2ban would require disabling firewalld which I don't want to do, I want to move forward.

I'm also not sure fail2ban supports detection of a spam subnet, which is how most spammers are operating these days.

aks
Posts: 2800
Joined: 2014/09/20 11:22:14

Re: firewalld question

Post by aks » 2015/05/26 18:05:07


User avatar
TrevorH
Forum Moderator
Posts: 26137
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld question

Post by TrevorH » 2015/05/26 19:05:13

Perhaps have a look in the packages in EPEL too since I've seen lots of posts about running fail2ban with firewalld here.

Code: Select all

[root@centos7 ~]# yum list fail2ban\*
Loaded plugins: changelog, langpacks, priorities, versionlock
Available Packages
fail2ban.noarch                                                    0.9.1-4.el7                                          epel
fail2ban-all.noarch                                                0.9.1-4.el7                                          epel
fail2ban-firewalld.noarch                                          0.9.1-4.el7                                          epel
fail2ban-hostsdeny.noarch                                          0.9.1-4.el7                                          epel
fail2ban-mail.noarch                                               0.9.1-4.el7                                          epel
fail2ban-sendmail.noarch                                           0.9.1-4.el7                                          epel
fail2ban-server.noarch                                             0.9.1-4.el7                                          epel
fail2ban-shorewall.noarch                                          0.9.1-4.el7                                          epel
fail2ban-systemd.noarch                                            0.9.1-4.el7                                          epel
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: firewalld question

Post by giulix63 » 2015/05/27 10:06:36

AliceWonder wrote: I'm also not sure fail2ban supports detection of a spam subnet, which is how most spammers are operating these days.
It does not. It's what I meant by "on a single IP basis" in my previous post. How do you automate that? I'd be really interested in such a solution (identify botnets).
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

Post Reply