[Firehol-support] Creating a custom rejection chain with firehol
costa at tsaousis.gr
Sat Jun 10 15:19:01 BST 2017
The above will create a firehol action (an iptables chain) that does
nothing by default.
action sshguard chain accept
Same as above but the default action is to accept traffic
The action helper of firehol is quite poweful. For advanced uses check
Keep in mind that the right way of externally blocking an IP is to have an
ipset and the programs to add/remove IPs on this ipset. This way, the
firewall is not altered by third parties and it is safe to restart it
anytime you see fit. So, if sshguard has a script that handles blocking /
unblocking, the best way is to make it add/remove the IPs to such an ipset.
For example, in firehol.conf you add:
ipset4 create sshguard-blocked hash:ip prevent_reset_on_restart
and then you do something like this:
server ssh accept src not ipset:sshguard-blocked
and later, outside firehol, you can add an IP to it with this:
ipset add sshguard-blocked IP
delete an IP with this:
ipset del sshguard-blocked IP
show all blocked IPs with this:
ipset list sshguard-blocked
On Fri, Jun 9, 2017 at 3:30 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
> Hello to all
> I'm having difficulties in understanding the mechanism of creating
> chains with firehol.
> I want to use sshguard with firehol.
> When sshguard detects a possible threat, it adds a drop entry to the
> sshguard chain, but for this to be successful, the chain must already
> I want to create that "sshguard" chain and use it with the chain of my
> WAN adapter, so it immediately drops the packets upon arrival.
> Can anyone provide me assistance?
> Thank you.
> Carlos Ferreira
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
More information about the Firehol-support