Set fail2ban backend to nftables, Refs #40113

790b1474 · Baptiste DE RENZO · 99d922c1 · 790b1474 · 790b1474 · 790b1474
Commit 790b1474 authored 5 months ago by Baptiste DE RENZO
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+# 2024-09-19
+
+* Default nftables forward chain policy set to accept for netcapture hosts.
+* Change default fail2ban backend to nftables.
+
 # 2024-08-12

-* Add HAProxy stats page listening on localhost on frontend servers for HA deployment
-* Update HAProxy maxconn value for HA deployment
+* Add HAProxy stats page listening on localhost on frontend servers for HA deployment.
+* Update HAProxy maxconn value for HA deployment.

 # 2024-07-09


--- a/roles/system/fail2ban/tasks/base.yml
+++ b/roles/system/fail2ban/tasks/base.yml
@@ -9,6 +9,9 @@
    content: |
      [DEFAULT]

+# Debian 12 bug:
+# see: https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1037437
+# 2024-09-19 > default configuration not working
 - name: "Configure sshd jail backend"
  notify: "Restart fail2ban"
  ansible.builtin.lineinfile:

--- a/roles/system/fail2ban/templates/jail.local.j2
+++ b/roles/system/fail2ban/templates/jail.local.j2
@@ -6,3 +6,7 @@ maxretry = {{ fail2ban_maxretry }}
 destemail = {{ fail2ban_email_to }}
 sender = {{ fail2ban_email_from }}
 action = %({{ fail2ban_action }})s
+
+# nftables configuration
+banaction = nftables-multiport
+banaction_allports = nftables-allports