There’s another bug filed for this issue here:
and I have another PR in the works for that also. The problem is that the original RFW code was written assuming that fail2ban wouldn’t be running alongside it, so it would flush iptables at times, and always INSERT it’s fpbxfirewall rule above all other rules. I’m not quite sure why this only started appearing recently, because all the code I’m looking at appears to have originated from @xrobau in 2016.
As mentioned in another thread, one of the biggest issues plaguing fail2ban in FreePBX is that is VERY OLD. 0.11.1 is out for CentOS, and I have have created an RPM to update the version in the distro here:
Yois / firewall-fix / ae40a6f43e9 - FreePBX GIT
The RPM fixes a bunch of outstanding issues with fail2ban and asterisk fail detection. The main benefit concerning this thread and the bug we’re discussing is that 0.11.1 dynamically creates the INPUT rules too, so it will self heal. There are just a few known issues I’ve discovered:
- Intrusion Detection will show stopped in the GUI, since the code in the Sysadmin module (which I can’t fix) uses pidof and ps -A to detect if fail2ban-server is running, but 0.11.1 runs asynchronously and will only be detected with pgrep -f, as python is holding the process
- fail2ban 0.11.1 displays it’s results missing one “TAB” in the list of Jails and IP lists, and the intrusion detection code relies on a “cut -f3” within its hooks in a bunch of places to read that information. In 0.11.1 the information will be in field 2, not field 3.
I’m getting tired and any additional programming help, testing, or buying me a beer will be appreciated.