I want to set up a dynamic ssh firewall blocking in order to stop ssh attacks and because openssh is abandoning tcpwrapper. I set up an ipset setname, sshdeny, in order to use it in shorewall. I also want to save and restore the addresses to be blocked across a shutdown of shorewall. But I am having trouble reading the addresses back in to shorewall and ipset. I put an ipset save sshdeny -file /etc/shorewall/sshdeny into the stop file and tried to put and ipset restore -file /etc/shorewall/sshdeny into the start file. But shorewall does not restart-- it says that set does not exist and shuts down. Nowhere I put the ipset restore seems not to work. Here is the situation I put in only the lines which I think have relevance. zones sshd:net ipv4 (net is the default external network) interfaces - enp+ detect hosts net enp+:0.0.0.0/0 - sshd enp+:+sshdeny rules DROP sshd fw tcp,udp - But this does not work. When I do shorewall start I get errors and shorewall stops again. ..... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Preparing iptables-restore input... Running /sbin/iptables-restore... iptables-restore v1.4.21: Set sshdeny doesn't exist. Error occurred at line: 137 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Processing /etc/shorewall/stop ... ......... files in /etc/shorewall: stop --------- ipset save sshdeny -file /etc/shorewall/sshdeny ================ start ------------------- ipset restore -file /etc/shorewall/sshdeny ================ I get the same problem if I put that last line into the file init. However if I put ipset create sshdeny hash:ip timeout 800000 into init, I do not get that error, but now I cannot restore the files, Whereever I put ipset restore.... I get that the set already exists, and I cannot recover the old addresses into sshdeny. Surely this is possible to do.
Off hand I did not see a whole lot of "dyanmic" whatever keywords/options in your configuration files. Might I suggest http://www.shorewall.net/Dynamic.html
Teh "dynamic" occurs externally, when my script alters the sshdeny set with ipset depending on the reading of the log files for sshd. Since sshd is needed from around the world, I cannot just deny everyone. And since denial depends on the site having tried to crack root's or other system passwords, it needs a bit more data to determine whether this is an attack or is just normal "I forgot my password" behaviour. Thus my script looks through the auth.log, determines that some IP is trying to crack mysystem, and then uses ipset to alter the sshdeny set via ipset. That dynamic alteration feeds into iptables immediately, and denies that site from further attacks. By dynamic I meant that I could add and remove ip addresses while the firewall was running and have them implimented immediately without having to restart the firewall.
FRAP, I can only guess you did not bother to ready the given url. I can see I need to kill both cups and shorewall threads.