summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common')
-rwxr-xr-xroles/common/files/etc/network/if-up.d/ipsec4
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh4
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j26
3 files changed, 7 insertions, 7 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index a43af6c..db9f979 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -42,8 +42,8 @@ case "$MODE" in
# been SNAT'ed from $ipsec, and didn't have a xfrm
# association. Hence we nullroute it to avoid to leak data
# intented to be tunneled through IPSec. /!\ The priority
- # must be >220 (strongSwan IPSec's policy) since xfrm lookup
- # must take precedence.
+ # must be >220 (which the one used by strongSwan IPSec) since
+ # xfrm lookup must take precedence.
/bin/ip rule add fwmark "$secmark" table 666 priority 666 || true
/bin/ip route add prohibit default table 666 || true
;;
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 1c57646..2e16711 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -34,7 +34,7 @@ secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec
secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp)
fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$"
+IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
declare -A rss=() tables=()
usage() {
@@ -193,7 +193,7 @@ run() {
grep -E -- "$fail2ban_re" "$old" || true
fi >> "$new"
- if [ -n "$ifsec" ]; then
+ if [ -n "$ipsec" ]; then
# (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6.
grep -E -- "$IPSec_re" "$old" >> "$new" || true
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 1cbcd88..0dcab8d 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -20,8 +20,8 @@ action = %(action_)s
[ssh]
enabled = true
-port = {{ ansible_ssh_port|default('22') }}
-filter = sshd
+port = {{ ansible_ssh_port|default('22') }}
+filter = sshd
logpath = /var/log/auth.log
maxretry = 5
@@ -40,7 +40,7 @@ maxretry = 2
enabled = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
-filter = pam-generic
+filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports