fail2ban vs firewall

[TJM]

Hi,

We have a few servers that have fail2ban pre-installed (thanks Rackspace), and have had issues with puppetlabs-firewall removing the rules that fail2ban creates. Do you have any examples of a working setup with a puppet "managed" firewall and fail2ban coexisting properly?

Thanks,
Tommy

[dhoppe]

Hello @TJM,

please take a look at firewallchain. I can not provide a specific code snippet, but it should be possible to prevent the firewall module from purging existing fail2ban rules.

Kind regards,
Dennis

[TJM]

OK, I was hoping I just missed it in the code (the github search facility is a bit janky sometimes). We had started messing with that, but ended up having to turn purge off (which is not where I want to be). I was hoping you had solved it.

[calmenergy]

You can address this by setting up a separate firewallchain, having firewall jump to that chain at the very beginning of INPUT and back to INPUT at the end of that chain, and then instructing Fail2ban to put all of its jump rules in that new chain.

[arnonerba]

The solution I am aware of is to use the firewallchain resource type along with the ignore parameter so that Fail2ban-specific rules will be ignored. The jump rule in the INPUT chain will need to be ignored along with all rules in the separate chain Fail2ban creates.

Something like this should work when using Fail2ban with the sshd jail enabled:

firewallchain { 'INPUT:filter:IPv4':
  ignore => '-j f2b-sshd',
}

firewallchain { 'f2b-sshd:filter:IPv4':
  ignore => '-A f2b-sshd',
}

There is a known issue where setting

resources { 'firewall':
  purge => true,
}

overrides the ignore parameter in any firewallchain resources (see here for more information). The solution is to use a resource collector to set purge => true for all firewallchain resources:

Firewallchain <| |> {
  purge => true,
}

This has the same general effect but still allows for the use of ignore.

More information about the ignore parameter is included at the end of REFERENCE.md in the puppetlabs-firewall module.

[yakatz]

To make this more flexible, we started by pulling the list of jails from hiera and looping through it:

# Ignore fail2ban chains:
$chains = hiera('firewall::purge_ignore', [])
$input_ignore = $chains.map |$chain| { "-j ${chain}" }

#ensure input rules are cleaned out, but ignore fail2ban
firewallchain { 'INPUT:filter:IPv4':
  ensure => present,
  ignore => $input_ignore,
  purge  => true,
}

$chains.each |$chain| {
  firewallchain { "${chain}:filter:IPv4":
    ignore => "-A ${chain}",
  }
}

I am now looking for a way to populate the $chains array automatically instead of using hiera. My first thought would be to create facts that include the current jails, but I wonder if there is a better way.

[TJM]

Can you pull the information from a variable in the fail2ban module? That has been a favorite of mine to pull out "port" or whatever from the target module for things like SSH. I have not actually messed with fail2ban in a while tho.