Updated to explain usage of iptables in recidivist jail.

2018-09-30 18:53:43 -06:00 · 2018-09-30 18:53:43 -06:00 · 50e75039bc
parent 2663924c34
commit 50e75039bc
1 changed files with 17 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -25,6 +25,7 @@
 - [The UFW filter regex (/etc/fail2ban/filter.d/ufw-probe.conf)](#the-ufw-filter-regex-etcfail2banfilterdufw-probeconf)
 - [The action file (/etc/fail2ban/action.d/ufw.conf)](#the-action-file-etcfail2banactiondufwconf)
 - [Repeat offenders](#repeat-offenders)
+  - [Apply the extended ban via iptables directly](#apply-the-extended-ban-via-iptables-directly)
 - [Final thoughts](#final-thoughts)

 ## Overview
@ -432,6 +433,22 @@ Finally, we also enable the jail.
 filter      = recidive[_jailname="recidivist"]
 enabled     = true
 ```
+### Apply the extended ban via iptables directly
+
+You'll notice that the '*recidivist*' jail configuration contains the following
+line:
+
+```Ini
+banaction   = iptables-allports
+```
+
+This means that the ban is generated by creating a rule directly applied to your
+iptables configuration and **not** through UFW.  This is because UFW has no
+facility to tag or otherwise distinguish rules apart from their index number.
+As such, it's possible for the *UFW-probe* jail **unban** process to erase the
+longer-term *recidivist* ban and vice versa.  To avoid this conflict, we have
+the longer-term rule apply to iptables directly as a separate rule so UFW-probe
+can ban/unban independently as needed without any risk of conflicts.

 ## Final thoughts