Fail2ban with Firewalld on RHEL 8 - Fail2ban seemingly blocks IPs, but they are not really blocked

Question

I'm running fail2ban on RHEL 8 using firewalld. According to the fail2ban log (with DEBUG level) it blocks IP addresses without any error, but in fact there are no such rules in firewalld and nftables.

In the jail.local config file I have set banaction as firewallcmd-ipset and banaction_allports as firewallcmd-ipset[actiontype="<allports>"].

I do not see any error message in the fail2ban nor the firewalld log files. And in addition an e-mail is properly sent to me when blocking an IP.

In the firewallcmd-common.conf config file I have changed the zone option to the name of my custom zone in firewalld.

Has anyone an idea what the problem might be or into which other log files I could look to find the error?

Answer 1

but in fact there are no such rules in firewalld and nftables.

what does "such rules" meant exactly?

1. action firewallcmd-ipset will add a the rule as well as create ipset if it start the action (this happens on-demand by first ban since fail2ban version 0.10).

2. and then firewallcmd-ipset will add an entry in this ipset for every IP that gets banned.

If you don't see the rule in firewalld listing, then it can be:

• removed or flushed by something (e. g. some service recreates the firewalld rules from scratch)
• some error occurs by action start (see fail2ban.log around first ban of this jail after start of fail2ban), for instance if some customizations are incompatible

To see which commands fail2ban action executes in your case (e. g. you could try them in shell also) you can dump your fail2ban configuration:

fail2ban-client -d | grep "$jail"
# pretty dump in new version (>= 0.10):
fail2ban-client --dp