Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewall.service breaks fail2ban in ansible-role-security #31

Open
kurtabersold opened this issue Jan 26, 2017 · 10 comments
Open

firewall.service breaks fail2ban in ansible-role-security #31

kurtabersold opened this issue Jan 26, 2017 · 10 comments
Labels
planned

Comments

@kurtabersold
Copy link

I am using ansible-role-security with ansible-role-firewall. There seems to be a problem with the firewall.service script which clobbers fail2ban rules in the firewall after a systemctl restart firewall.service

My main.yml is bringing in the roles in this order:

  roles:
    - { role: geerlingguy.security }
    - { role: geerlingguy.firewall }
@kurtabersold kurtabersold mentioned this issue Jan 26, 2017
Closed
@geerlingguy
Copy link
Owner

Hmm... I'm not 100% sure I want to go with the approach in #32, but that might be somewhat necessary. I've sometimes run into the same chicken-and-egg issue with Docker (when you bring up Docker containers, if Docker was started prior to this role making some modifications, that can cause some issues).

@mprasil mprasil mentioned this issue Apr 6, 2017
Open
@mprasil
Copy link

mprasil commented Apr 6, 2017

I tried to have a go at the problem in #37. In theory you just need to set these variables for docker host to avoid conflict with Docker-added rules:

firewall_flush_filter_chains:
  - INPUT
  - OUTPUT
firewall_flush_nat_chains:
  - INPUT
  - OUTPUT
firewall_delete_chains: []

Similar configuration should work for fail2ban.

Obviously this will not work optimally if there are also defined forwarded ports, but hopefully this should be very edge case scenario that adds some slight performance penalty - multiple rules, that will only match on the first one.

And even in that case it only won't be optimal when applying the rules multiple times, so once at boot should be good. We can perhaps check if this conflict is present and throw some warning if that's the case, I'm just not sure it's worth the effort.

@JMLX42
Copy link

JMLX42 commented Oct 10, 2017
edited
Loading

In theory you just need to set these variables for docker host to avoid conflict with Docker-added rules:

I used those rules and after a fresh provisioning, my containers won't run before I restart docker :

$ docker ps
CONTAINER ID        IMAGE                          COMMAND             CREATED             STATUS                                  PORTS               NAMES
e2765cdc8ae6        gitlab/gitlab-ce:10.0.1-ce.0   "/assets/wrapper"   47 seconds ago      Restarting (1) Less than a second ago                       gitlab

Restarting the docker service fixes the issue.

@romaindequidt
Copy link

I'm using geerlingguy.firewall and tersmitten.fail2ban roles.
To solve that issue, I use listen feature for handlers in Ansible (>= 2.2)
I create ansible-role-fail2ban-handler-for-firewall role in my playbook with 1-handler file roles/ansible-role-fail2ban-handler-for-firewall/handlers/main.yml :

# handlers/main.yml
- name: handler restart fail2ban service after firewall restarted
  service:
    name: fail2ban
    state: restarted
  listen: restart firewall

and update my playbook:

- hosts: all
  roles:
    - role: geerlingguy.firewall
    - role: tersmitten.fail2ban
    - role: ansible-role-fail2ban-handler-for-firewall # global handler, keep at the end of playbook

@stale
Copy link

stale bot commented Mar 6, 2020

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

@stale stale bot added the stale label Mar 6, 2020
@geerlingguy
Copy link
Owner

Not stale; I'm going to add a simple approach (like #37 but just one variable to determine whether to flush or not, for now) to make it so this role can work more easily with Docker and other tools that modify iptables on their own... I don't want to necessarily add more complexity in the behavior like #37 does where strings and empty sets mean different things.

@stale
Copy link

stale bot commented Mar 15, 2020

This issue is no longer marked for closure.

@stale stale bot removed the stale label Mar 15, 2020
geerlingguy added a commit that referenced this issue Mar 15, 2020
@geerlingguy
Issue #31, PR #37: Add option to control flushing all chains and rules.
5e36be8
@stale
Copy link

stale bot commented Jun 13, 2020

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

@stale stale bot added the stale label Jun 13, 2020
@stale
Copy link

stale bot commented Jun 14, 2020

This issue is no longer marked for closure.

@stale stale bot removed the stale label Jun 14, 2020
@geerlingguy
Copy link
Owner

Also @romaindequidt - TIL about the listen option for handlers. That's nice, being able to tag onto other handlers like that! I could rewrite a couple of my older roles to use that feature so I don't have to have cross-role deps.

@katomaso katomaso mentioned this issue Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
planned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@geerlingguy @romaindequidt @JMLX42 @kurtabersold @mprasil