6

I'm setting up Fail2ban to protect ssh, and I use firewalld, I saw a lot of people recommending to use anaction = iptables-multiport and other solutions using iptables instead of firewalld claiming that it is faster or consumes less resources.

As I said before I already configured firewalld(actualy I just blocked all the ports except the ones I use which took me 3 min), and I wanted to know if I should use iptables or firewalld by setting firewallcmd-ipset instead of the above configuration(whichever will be faster).

Also I noticed that I have an iptables package installed even tough I don't remember installing it, however it's not running nor can be run.

So just to clarify:

  1. Which one is better for performance?

  2. Which is the default firewall that fail2ban uses on centos7?

  3. Does firewalld replaces Iptables, or is it just a different way to interact with it?

Thanks ahead!

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Samuel E.
  • 177
  • 2
  • 6

2 Answers2

5

If you already use firewalld, then you should have fail2ban also use firewalld. There's no point in having it use iptables directly in this scenario. Not to mention that firewallcmd-ipset has much better performance for large ban lists than iptables-multiport.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
-1

I have been struggling with this for some days and I found it way more convenient not to involve iptables at all.

WhiteLord
  • 1
  • Since the question is about which setup is the 'better' one for fail2ban, I am fairly sure it is necessary to involve iptables - or are you recommending the asker use firewalld? If so, could you maybe share a little about your setup, and how your arrived at it? – iwaseatenbyagrue Mar 17 '17 at 07:32
  • Firewalld is a much more flexible system regarding the fact that you can easily add interfaces to different zones, apply rules and actions which are pre-defined, as well as use your settings partially in another zone. "Yeah - you'll say - but iptables has chains and rules". So what are the real differences? The rich "language" for specific rules gives you a really intuitive way of setting them, the log of denied packets lets you keep track of what has been dropped/rejected for furher analysis. Also, integration with Puppet. – WhiteLord Mar 17 '17 at 14:30