-
-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewall.service breaks fail2ban in ansible-role-security #31
Comments
Hmm... I'm not 100% sure I want to go with the approach in #32, but that might be somewhat necessary. I've sometimes run into the same chicken-and-egg issue with Docker (when you bring up Docker containers, if Docker was started prior to this role making some modifications, that can cause some issues). |
I tried to have a go at the problem in #37. In theory you just need to set these variables for docker host to avoid conflict with Docker-added rules: firewall_flush_filter_chains:
- INPUT
- OUTPUT
firewall_flush_nat_chains:
- INPUT
- OUTPUT
firewall_delete_chains: [] Similar configuration should work for fail2ban. Obviously this will not work optimally if there are also defined forwarded ports, but hopefully this should be very edge case scenario that adds some slight performance penalty - multiple rules, that will only match on the first one. And even in that case it only won't be optimal when applying the rules multiple times, so once at boot should be good. We can perhaps check if this conflict is present and throw some warning if that's the case, I'm just not sure it's worth the effort. |
I used those rules and after a fresh provisioning, my containers won't run before I restart docker :
Restarting the |
I'm using
and update my playbook:
|
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
Not stale; I'm going to add a simple approach (like #37 but just one variable to determine whether to flush or not, for now) to make it so this role can work more easily with Docker and other tools that modify iptables on their own... I don't want to necessarily add more complexity in the behavior like #37 does where strings and empty sets mean different things. |
This issue is no longer marked for closure. |
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
This issue is no longer marked for closure. |
Also @romaindequidt - TIL about the |
I am using
ansible-role-security
withansible-role-firewall
. There seems to be a problem with the firewall.service script which clobbers fail2ban rules in the firewall after asystemctl restart firewall.service
My
main.yml
is bringing in the roles in this order:The text was updated successfully, but these errors were encountered: