-
assigned issue to
FirewallD backend can't ban IPv6 addresses
Hi, when using the firewalld-backend, attacks from IPv6 addresses are recognized and banned by sshguard as expected, but do not actually get added to the ipset. The underlying reason for that seems to be that the way sshguard adds addresses together with netmask or prefix, i.e.
$ firewalld --ipset=sshguard6 --add-entry=<ip>/<prefix>
only works with ipv4 but not ipv6 when using hash:ip in ipset. Since the problem seems to be with ipset, rather than firewalld, I'd assume that the ipset backend has the same issue, but I have not tested that yet.
Using hash:net
instead of hash:ip
as the ipset type might provide a workaround for this, but I don't know the implications of that change, because frankly I don't understand exactly how the two differ.
This happens with ipset v6.38, I have not tested other versions.
Comments (5)
-
-
OK, so the version I’ve had deployed for months use
hash:net
for both IPv4 and IPv6. I must have forgot to push the change. -
- changed status to resolved
-
reporter Thanks for fixing this. I just noticed when updating my package that due to firewalld ipsets being permanent, this fix does not get applied automatically when upgrading from a previously installed version of sshguard, and one needs to manually delete the ipsets and rules for sshguard to apply the new ipset type.
This should probably be noted in the changelog or somewhere for the next release.
-
- removed version
Removing version: 2.2 (automated comment)
- Log in to comment