You are not logged in.

#1 2021-06-29 21:22:44

cmm11
Member
Registered: 2018-02-18
Posts: 18

SSHGuard & firewalld , Could not initialize firewall

i've setup sshguard to use firewalld as it's backend on a fresh VPS, however looking at the output of the service (systemctl status sshguard.service) i see the following line:

sshguard[588]: sshg-fw-firewalld: Could not initialize firewall

When i do (firewall-cmd --reload) i also get the message

Error: INVALID_IPSET: sshguard4

and doing (systemctl status firewalld.service) i get the output:

firewalld[427]: WARNING: ipset not usable, disabling ipset usage in firewall.
firewalld[427]: WARNING: sshguard4: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
firewalld[427]: WARNING: sshguard6: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
firewalld[427]: ERROR: INVALID_IPSET: sshguard4

Configs

/etc/sshguard.conf

LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
BACKEND="/usr/lib/sshguard/sshg-fw-firewalld"
THRESHOLD=30
BLOCK_TIME=180
DETECTION_TIME=3600

Last edited by cmm11 (2021-07-01 12:50:25)

Offline

#2 2021-06-30 20:14:11

loqs
Member
Registered: 2014-03-06
Posts: 13,660

Re: SSHGuard & firewalld , Could not initialize firewall

Try building firewalld 0.9.4 locally that should have ipset emulation under nftables.  https://github.com/firewalld/firewalld/releases
Or change the firewall rules to not use ipsets.

Offline

#3 2021-07-01 12:44:09

cmm11
Member
Registered: 2018-02-18
Posts: 18

Re: SSHGuard & firewalld , Could not initialize firewall

firewalld got updated today in the repos to firewalld 0.9.4-1 which as loqs linked to has a fix: fix(ipset): fix hash:net,net functionality.
Everything is working fine now.

Update - Looks like i spoke too soon:

systemctl status sshguard.service = sshg-fw-firewalld: Could not initialize firewall
firewall-cmd --info-ipset=sshguard4 = Error: INVALID_IPSET: sshguard4

If i remove firewalld and rm /etc/firewalld then install it and start the firewalld service, i see:
systemctl status firewalld.service is showing:

firewalld[1079]: WARNING: ipset not usable, disabling ipset usage in firewall.

This is without sshguard service running, so looks like that might be the key to the issue.

Last edited by cmm11 (2021-07-01 13:05:13)

Offline

#4 2021-07-01 13:24:38

loqs
Member
Registered: 2014-03-06
Posts: 13,660

Re: SSHGuard & firewalld , Could not initialize firewall

firewalld is no longer built with ipset support,  I was hoping the emulation code in 0.9.4 would resolve the issue.  What if you configure sshguard to use nftables?

Offline

#5 2021-07-01 14:29:21

cmm11
Member
Registered: 2018-02-18
Posts: 18

Re: SSHGuard & firewalld , Could not initialize firewall

loqs wrote:

firewalld is no longer built with ipset support,  I was hoping the emulation code in 0.9.4 would resolve the issue.  What if you configure sshguard to use nftables?

I could do that, i know nftables + sshguard is working fine for me on another server, but i like how simple it is to use and understand firewalld.
I guess i could just give fail2ban a go instead of sshguard.

Offline

#6 2021-07-01 23:30:25

loqs
Member
Registered: 2014-03-06
Posts: 13,660

Re: SSHGuard & firewalld , Could not initialize firewall

Sshguard#firewalld has probably not been updated for the last two releases.
You could try rebuilding firewalld locally with iptables added to makedepends and then configure it to use the iptables backend at run time and see if that restores the old behavior.

Offline

Board footer

Powered by FluxBB