[Firehol-support] run firehol before fail2ban

Phil Whineray phil at firehol.org
Sun Jan 22 10:01:34 GMT 2017


Hi

On Sun, Jan 22, 2017 at 08:39:50AM +0100, Jonathan Baecker wrote:
> Hello everybody,
> sorry that I ask the question here, but I don't found info's for that in
> google. How do you manage the starting behavior from firehol and fail2ban?
> In my setup fail2ban starts before firehol, so when firehol start it delete
> the settings from fail2ban. I run both on ubuntu 16.04, fail2ban runs here
> not with an native systemd service.

Looking at the packages, I think neither is a native systemd service
and it looks like fail2ban is configured to start after firehol.

So what exactly are you running? I will assume default fail2ban with
firehol from source...

> My thoughts  was:
> 
> 1. I write a simple script what checks the firehol service, that it is
>    active and start then fail2ban new
> 2. I create a systemd service for fail2ban and put firehol.service to
>    the after statement.
> 
> The first solution is a bit dirty for me and with the second way I am not
> sure how clean it will work, specially when it comes to system updates.
> 
> What you think is the best solution?

You could also try to use the ubuntu-provided init for the packaged firehol
rather than the systemd service. Look here:
     http://packages.ubuntu.com/xenial/firehol

You could also try backporting from zesty, in the hopes (I have not
checked) that the two have been made to work together:
  https://wiki.debian.org/SimpleBackportCreation

Get the firehol .dsc URL here:
  http://packages.ubuntu.com/zesty/firehol

It is still on 3.0.2 but it will probably track Debian to 3.1.x
pretty soon.

The backport process will require quite a few more packages but it
should be pretty straightforward. Maybe you can just backport firehol
or maybe you need to do fail2ban as well.

Backport process is definitely the way that will play best with future
upgrades.

Hope that helps
Phil



More information about the Firehol-support mailing list