Hi All,
I have a problem. I installed debian buster with fail2ban and ufw. Now all works as it should for 1 thing. If an ip is banned and the clients still has the connection open it wont be blocked. (so an attacker could yust try endless as long he does not close the connection)
When i close the browser i can not connect anymore. (as it should be) Why is ufw not blocking established connections?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
ufw firewall with fail2ban and established connections
-
- Posts: 4
- Joined: 2019-10-02 12:14
-
- Posts: 4
- Joined: 2019-10-02 12:14
Re: ufw firewall with fail2ban and established connections
Hi All,
I allredeay find the solution.
Yust after the ban i am running
conntrack --flush
Then the connections is disconnected.
issue resolved.
I allredeay find the solution.
Yust after the ban i am running
conntrack --flush
Then the connections is disconnected.
issue resolved.
Re: ufw firewall with fail2ban and established connections
It all depends on which action fail2ban is taking. Assuming you're using the ufw.conf action it does "ufw insert 1 reject from <ip> to <destination> $app"ckruijntjens wrote:Hi All,
I have a problem. I installed debian buster with fail2ban and ufw. Now all works as it should for 1 thing. If an ip is banned and the clients still has the connection open it wont be blocked. (so an attacker could yust try endless as long he does not close the connection)
When i close the browser i can not connect anymore. (as it should be) Why is ufw not blocking established connections?
I don't use ufw so I don't know how it adds the rule. I suppose it's a front-end to iptables so you could "iptables -L" and inspect the rule. It probably applies only to NEW connections, so those which are already ESTABLISHED won't be affected.
So you either live with that (normally a connection you wish to block is not long-lived so I don't see why you have a problem with that), or you tweak ufw.conf or ufw itself to block connections regardless of state, or you use another method ("route" is a nice and easy one).