-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crowdsec ipset rules do not survive a firewalld reload #6900
Comments
Update firewall rules for crowdsec-blacklists and crowdsec6-blacklists NethServer/dev#6900
QA Install crowdsec ghcr.io/nethserver/crowdsec:1.0.7-dev.3 Now the test is really fun, we run the bouncer inside a container, however the test must be done on debian and rocky9 As a side note we do not remove permanent rules of firewalld nor remove deb and rpm of crowdsec-firewall-bouncer-iptables, we just stop and disable it test case 1
test case 2
|
Test case 1: OK Test case 2: NOK On a single Rocky node it works.
|
Create a bouncer inside a container NethServer/dev#6900
Add --privileged flag to podman run command NethServer/dev#6900
QA note In some Debian installations (i.e. Digital Ocean hosting) the
|
In testing crowdsec 1.0.7-dev.4 |
Test case Repeat test cases 1 and 2. Notice that |
on Rocky Linux:
On Debian:
Note for Debian: used DO VPS so I needed to install |
- Fix FQDN validator - Implement backend validation with JSON schema - Remove frontend validation logic Refs NethServer/dev#6900 --------- Co-authored-by: Andrea Leardini <andre8244@gmail.com>
VERIFIED Verified additional fix, and test case https://community.nethserver.org/t/ns8-crowdsec-limited-domain-levels-in-allow-list/23301/7 |
Steps to reproduce
reload the firewall like agent.add_public_service after it has added opened services
firewall-cmd --reload
Expected behavior
I expect that my sets are loaded
Actual behavior
The sets are not loaded anymore and obviously crwdsec can ban, the drop is not honored
however if I restart crowdsec-firewall-bouncer.service the sets are back
systemctl restart crowdsec-firewall-bouncer.service
I tried to make permanent the set to the drop zone of firewalld or with also a rich-rule of the public zone but we face to a strange behavior with two kinds of sets, crowdset wants to use the set that you can see with
ipset -L -n
and since I want to makepermanent
the set to firewalld, it looks like there is a conflictComponents
crowdsec 1.0.6
The text was updated successfully, but these errors were encountered: