[Firehol-support] Creating a custom rejection chain with firehol

[Tsaousis, Costa]

Hi,

Use:

 action sshguard

The above will create a firehol action (an iptables chain) that does
nothing by default.

 action sshguard chain accept

Same as above but the default action is to accept traffic

The action helper of firehol is quite poweful. For advanced uses check
this: https://firehol.org/firehol-manual/firehol-action/

Keep in mind that the right way of externally blocking an IP is to have an
ipset and the programs to add/remove IPs on this ipset. This way, the
firewall is not altered by third parties and it is safe to restart it
anytime you see fit. So, if sshguard has a script that handles blocking /
unblocking, the best way is to make it add/remove the IPs to such an ipset.
For example, in firehol.conf you add:

ipset4 create  sshguard-blocked hash:ip prevent_reset_on_restart

and then you do something like this:

server ssh accept src not ipset:sshguard-blocked

and later, outside firehol, you can add an IP to it with this:

 ipset add sshguard-blocked IP

delete an IP with this:

 ipset del sshguard-blocked IP

show all blocked IPs with this:

 ipset list sshguard-blocked

Costa


On Fri, Jun 9, 2017 at 3:30 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
wrote:

> Hello to all
>
> I'm having difficulties in understanding the mechanism of creating
> chains with firehol.
>
> I want to use sshguard with firehol.
> When sshguard detects a possible threat, it adds a drop entry to the
> sshguard chain, but for this to be successful, the chain must already
> exist.
>
> I want to create that "sshguard" chain and use it with the chain of my
> WAN adapter, so it immediately drops the packets upon arrival.
>
> Can anyone provide me assistance?
> Thank you.
>
> Carlos Ferreira
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support