firewalld question

[AliceWonder]

When I get a lot spam from a particular subnet, i like to just block it at the firewall so that it doesn't result in any DNS queries to blacklists etc. or other postfix checks.

Something like

Code: Select all

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT_direct 0 -s 67.19.161.0/24 -j DROP

I would prefer though to just ban it for 3 days, often it is a compromised network and gets cleaned up by system administrators.

I would like to automate the process, cronjob that looks through the maillog for the highest volume rejects by IP or subnet and just block it for 3 days.

I am not very familiar with firewalld but I was unable to find a switch that makes it a time specified temporary rule. Is there one?

CentOS 7

[giulix63]

Not sure if firewalld is able to do that. Fail2ban (in EPEL; 0.9.2 in epel-testing) does what you ask on a single IP basis.

[TrevorH]

Yes, it seems to me that you're trying to reinvent fail2ban.

[AliceWonder]

fail2ban uses iptables and I believe you are only suppose to use firewalld *or* iptables - never both.

I want to look at the mail log, detect repeated attempts by MTAs to spam my users (failing the DNS blacklists and open relay attempts) and 3 day ban the ip (or subnet - spammers frequently control a subnet and they walk up the subnet avoiding individual IP blacklists they quickly get on)

[AliceWonder]

https://fedoraproject.org/wiki/Firewall ... s_services

Yeah, looks like using fail2ban would require disabling firewalld which I don't want to do, I want to move forward.

I'm also not sure fail2ban supports detection of a spam subnet, which is how most spammers are operating these days.

[aks]

Perhaps have a look at: https://fedoraproject.org/wiki/Fail2ban_with_FirewallD

[TrevorH]

Perhaps have a look in the packages in EPEL too since I've seen lots of posts about running fail2ban with firewalld here.

Code: Select all

[root@centos7 ~]# yum list fail2ban\*
Loaded plugins: changelog, langpacks, priorities, versionlock
Available Packages
fail2ban.noarch                                                    0.9.1-4.el7                                          epel
fail2ban-all.noarch                                                0.9.1-4.el7                                          epel
fail2ban-firewalld.noarch                                          0.9.1-4.el7                                          epel
fail2ban-hostsdeny.noarch                                          0.9.1-4.el7                                          epel
fail2ban-mail.noarch                                               0.9.1-4.el7                                          epel
fail2ban-sendmail.noarch                                           0.9.1-4.el7                                          epel
fail2ban-server.noarch                                             0.9.1-4.el7                                          epel
fail2ban-shorewall.noarch                                          0.9.1-4.el7                                          epel
fail2ban-systemd.noarch                                            0.9.1-4.el7                                          epel

[giulix63]

I'm also not sure fail2ban supports detection of a spam subnet, which is how most spammers are operating these days.

It does not. It's what I meant by "on a single IP basis" in my previous post. How do you automate that? I'd be really interested in such a solution (identify botnets).