I’m trying to use Fail2Ban to secure a web server. In testing I send a bunch of requests from my home IP and I see Fail2Ban creating the entry in firewalld. But the block never does anything. I can continue to access resources on the server with impunity.
Fail2Ban is doing what it claims: Adding IPs to a (supposed) block list:
# firewall-cmd --zone=public --list-rich-rules
rule family="ipv4" source address="13.xx.xx.xx" port port="https" protocol="tcp" reject type="icmp-port-unreachable
rule family="ipv4" source address="13.xx.xx.xx" port port="http" protocol="tcp" reject type="icmp-port-unreachable"
I even went so far as to add my home IP to the ‘block’ zone (with --permanent – and a reload). No effect. I can see the requests coming in via HTTPD logs.
One caveat: I had to add internal hosts (on the same sub net as the server) to a ‘trusted’ group or they were all being blocked.
So:
-
Internal hosts (10.95.96.0/24) are blocked unless they are added to ‘trusted’.
-
External hosts are added to either/both the ‘block’ zone or the public zone but no blocks actually occur.
Web server has one NIC (enX0) a it is running Rocky9 (Linux).
Update:
# firewall-cmd --get-active-zones
public
interfaces: enX0
trusted
sources: 10.95.96.0/24
# firewall-cmd --get-zone-of-interface=enX0
public
