FirewallD backend can't ban IPv6 addresses

Issue #101 resolved
Christopher Engelhard created an issue

Hi, when using the firewalld-backend, attacks from IPv6 addresses are recognized and banned by sshguard as expected, but do not actually get added to the ipset. The underlying reason for that seems to be that the way sshguard adds addresses together with netmask or prefix, i.e.

$ firewalld --ipset=sshguard6 --add-entry=<ip>/<prefix>

only works with ipv4 but not ipv6 when using hash:ip in ipset. Since the problem seems to be with ipset, rather than firewalld, I'd assume that the ipset backend has the same issue, but I have not tested that yet.

Using hash:net instead of hash:ip as the ipset type might provide a workaround for this, but I don't know the implications of that change, because frankly I don't understand exactly how the two differ.

This happens with ipset v6.38, I have not tested other versions.

Comments (5)

  1. Daniel Aleksandersen

    OK, so the version I’ve had deployed for months use hash:net for both IPv4 and IPv6. I must have forgot to push the change.

  2. Christopher Engelhard reporter

    Thanks for fixing this. I just noticed when updating my package that due to firewalld ipsets being permanent, this fix does not get applied automatically when upgrading from a previously installed version of sshguard, and one needs to manually delete the ipsets and rules for sshguard to apply the new ipset type.

    This should probably be noted in the changelog or somewhere for the next release.

  3. Log in to comment