[Firehol-support] Creating a custom rejection chain with firehol

Carlos Ferreira carlosmf.pt at gmail.com
Sun Jun 11 11:52:32 BST 2017


Unfortunatly, the new version of sshguard (2.0) has dropped support
for executing an outside script.
It's hardcoded to add new entries to an sshguard chain.

So, how can I add a drop chain to the wan interface, so it drops all
packets with matching IP's upon arrival?

Carlos




On 10 June 2017 at 15:19, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi,
>
> Use:
>
>  action sshguard
>
> The above will create a firehol action (an iptables chain) that does nothing
> by default.
>
>  action sshguard chain accept
>
> Same as above but the default action is to accept traffic
>
> The action helper of firehol is quite poweful. For advanced uses check this:
> https://firehol.org/firehol-manual/firehol-action/
>
> Keep in mind that the right way of externally blocking an IP is to have an
> ipset and the programs to add/remove IPs on this ipset. This way, the
> firewall is not altered by third parties and it is safe to restart it
> anytime you see fit. So, if sshguard has a script that handles blocking /
> unblocking, the best way is to make it add/remove the IPs to such an ipset.
> For example, in firehol.conf you add:
>
> ipset4 create  sshguard-blocked hash:ip prevent_reset_on_restart
>
> and then you do something like this:
>
> server ssh accept src not ipset:sshguard-blocked
>
> and later, outside firehol, you can add an IP to it with this:
>
>  ipset add sshguard-blocked IP
>
> delete an IP with this:
>
>  ipset del sshguard-blocked IP
>
> show all blocked IPs with this:
>
>  ipset list sshguard-blocked
>
> Costa
>
>
> On Fri, Jun 9, 2017 at 3:30 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
> wrote:
>>
>> Hello to all
>>
>> I'm having difficulties in understanding the mechanism of creating
>> chains with firehol.
>>
>> I want to use sshguard with firehol.
>> When sshguard detects a possible threat, it adds a drop entry to the
>> sshguard chain, but for this to be successful, the chain must already
>> exist.
>>
>> I want to create that "sshguard" chain and use it with the chain of my
>> WAN adapter, so it immediately drops the packets upon arrival.
>>
>> Can anyone provide me assistance?
>> Thank you.
>>
>> Carlos Ferreira
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>



More information about the Firehol-support mailing list